iochain

VMware NSX – IOChain and how packets are processed within the kernel

During a meeting with a client when I was going over how packets are processed within the IOChain between a VM and a vSwitch, I was asked a question that stumped me…. what happens at Slot 3?

It’s common knowledge that the first 4 and last 3 slots in the IOchain are reserved for VMware and slots 4-12 are reserved for 3rd parties where services are inserted (or traffic redirected).

During my discussions I’ve only ever spoken about Slots 0-2 and 4-12…..

After much digging around and questioning the NSBU SEs, I was told that there was no real answer apart from it’s probably a VMware reserved slot for future use. =)

It’s also worth noting that Slot 15 used to be classed as a “reserved slot for future use” but is now intended to be used for Distributed Network Encryption when it becomes available (makes sense that encryption is the last thing that happens on the IOChain for packets leaving a VM, and decryption being the first for packets entering the VM).

Anyways, decided it’s probably worth blogging about IOChain slots. =)

 

So when a VM connects to a Logical switch there are several security services that each packet transverses which are implemented as IOChains processed within the vSphere kernel.

Slot 0: DVFilter – the Distibuted Virtual Filter monitors ingress/egress traffic on the protected vNIC and performs stateless filtering and ACL.

Slot 1: vmware-swsec – the Switch Security module learns the VMs IP/MAC address and captures any DHCP Ack or ARP broadcasts from the VM, redirecting the request to the NSX Controller – this is the ARP suppression feature. This slot is also where NSX IP Spoofguard is implemented.

Slot 2: vmware-sfw – this is where the NSX Distributed Firewall resides and where DFW rules are stored and enforced (so firewall rule and connection tables).

Slot 3: reserved for future use by VMware

Slot 4-12: 3rd party services – this is where traffic is redirected to 3rd party service appliances

Slot 13-14: reserved for future use by VMware

Slot 15: Distributed Network Encryption (when it becomes available)

Introducing VMware NSX for vSphere 6.3 & VMware…

Introducing VMware NSX for vSphere 6.3 & VMware NSX-T 1.1. Plus the all new NSX for ROBO edition!


Introducing VMware NSX for vSphere 6.3 & VMware…

This past week at VMware has been quite exciting! Pat Gelsinger, VMware CEO, reported on the Q4 2016 earnings call that VMware NSX has more than 2,400 customers exiting 2016. Today, we continue that momentum by announcing new releases of our two different VMware NSX platforms – VMware NSX™ for vSphere® 6.3 and VMware NSX-T 1.1.


VMware Social Media Advocacy

vSphere 6.5 Product Interoperability – brain fade moment!

So it’s probably worth reminding everyone that there are still VMware products that are not yet supported on vSphere 6.5!

I unfortunately found out the hard way when I broke my work’s demo environment (or at least half of it).

Now even though I’ve blogged about compatibility issues previously eating too many mince pies and drinking too much bucks fizz over the Christmas and New Year festivities has obviously taken its toll on my grey matter, and coming back to work in the new year I decided it would be a nice idea to upgrade a part of my works demo environment to vSphere 6.5 so that we can use it to demo to customers!

The problem was I upgraded the part of the lab running NSX and when I got to the point of trying to push the NSX VIBs onto the ESXi hosts (when preparing the hosts to join the NSX cluster), it was having none of it and failing! After several unsuccessful attempts, it slowly dawned on me that NSX was one of those ‘unsupported’ products that doesn’t work with vSphere 6.5…..

Damn…..

Fortunately I didn’t destroy my old vCenter Server 6.0u2 appliance so was able to roll back by re-installing the ESXi hosts with 6.0.

 

Anyways, the products still not supported are:

  • VMware NSX
  • VMware Integrated OpenStack
  • vCloud Director for Service Providers
  • vRealize Infrastructure Navigator
  • Horizon Air Hybrid-Mode
  • vCloud Networking and Security
  • vRealize Hyperic
  • vRealize Networking Insight

 

Definitely worth keeping an eye on this VMware KB: Important information before upgrading to vSphere 6.5 (2147548)

And if you do end up upgrading to vSphere 6.5, then make sure you follow the recommended upgrade sequence in this VMware KB: Update sequence for vSphere 6.5 and its compatible VMware products (2147289)

MTI/IDG Whitepaper

My company – MTI Techology – recently undertook an engagement with IDG to produce a whitepaper highlighting how VMware NSX could be used to address Security, Automation and Innovation within the Financial market.

TBH, the whitepaper can apply to any market who are experiencing the same business challenges!

http://www.idgconnect.com/view_abstract/41130/security-automation-innovation-steps-drive-success-financial-services

EDIT: Forgot to mention that you need to sign up for a free account in order to download the whitepaper. =)

What’s new with VMware vSAN 6.5?

Given that I’m a VMware vExpert for vSAN, I guess I’m kind of obliged to write about what’s new with the latest iteration of vSAN – 6.5….. =)

vSAN 6.5 is the 5th version of vSAN to be released and it’s had quite a rapid adoption in the industry as end-users start looking at Hyper-Converged Solutions. There are over 5000+ customers now utilising vSAN – everything from Production workloads through to Test & Dev, including VDI workloads and DR solutions! This is quite surprising considering we’re looking at a product that’s just under 3 years old… it’s become a mature product in such a short period of time!

The first thing to note is the acronym change…. it’s now little ‘v’ for vSAN in order to fall in line with most of the other VMware products! =)

So what are the key new features?

1. vSAN iSCSI

This is probably the most useful feature in 6.5 as it gives you the ability to create iSCSI targets and LUNs within your vSAN cluster and present these outside of the vSAN Cluster – which means you can now connect other VMs or physical servers to your vSAN storage (this could be advantageous if you’re trying to run a MSCS workload). The iSCSI support is native from within the VMkernel and doesn’t use any sort of storage appliance to create and mount the LUNs. At present only 128 targets are supported with 1024 LUNs and a max. LUN size of 62TB.

vsan-iscsi

It seems quite simple to setup (famous last words – I’ve not deployed 6.5 with iSCSI targets yet). First thing is to enabled the vSAN iSCSI Target service on the vSAN cluster, after that you create an iSCSI target and assign a LUN to it… that’s pretty much it!

Great thing about this feature is because the LUNs are basically vSAN objects, you can assign a storage policy to it and use all the nice vSAN SPBM features (dedupe, compression, erasure-coding, etc).

2. 2-node direct connect for vSAN ROBO + vSAN Advanced ROBO

Customers find it quite difficult to try and justify purchasing a 10GbE network switch in order to connect together a few nodes at a ROBO site. VMware have taken customer feedback and added a new feature which allows you to direct connect the vSAN ROBO nodes together using a cross-over network cable.

In prior versions of vSAN both vSAN traffic and witness traffic used the same VMkernel port which prevented the ability to use a direct connection as there would be no way to communicate with the witness node (usually back in the primary DC where the vCenter resides). In vSAN 6.5 you now have the ability to separate out vSAN and witness traffic onto separate VMkernel ports which means you can direct connect your vSAN ports together. This is obviously great as you can then stick in a 10GbE NIC and get 10Gb performance for vSAN traffic (and vMotion) without the need of a switch!

vsan_2node_robo

The only minor issue is you need to use the CLI to run some commands to tag a VMkernel port as the designated witness interface. Also the recommended setup would be to use 2 VMkernel ports per traffic flow in order to give you an active/standby configuration.

vsan-2node2nic

It’s also worth noting that the new vSAN Advanced ROBO licenses now allow end-users to deploy all-flash configurations at their ROBO site with the added space efficiency features!

3. vSAN All-Flash now available on all license editions

Yup, the All-Flash Tax has gone! You can now deploy an All-Flash vSAN configuration without having to buy an advanced or enterprise license. However, if you want any of the space saving features such as dedupe, compression and erasure coding then you require at least the Advanced edition.

4. 512e drive support

With larger drives now coming onto the market, there has been a request from customers for 4k drive support. Unfortunately there is still no support for the 4k native devices, however there is now support for 512e devices (so physical sector is 4k, logical sector emulates 512bytes).

More information on 4Kn or 512e support can be found here: https://kb.vmware.com/kb/2091600

5. PowerCLI cmdlets for vSAN

New cmdlets are available for vSAN allowing you to script and automate various vSAN tasks (from enabling vSAN to the deployment and configuration of a vSAN stretched cluster). The most obvious use will be using cmdlets to automatically assign storage policies to multiple VMs.

More info on he cmdlet updates available here: http://blogs.vmware.com/PowerCLI/2016/11/new-release-powercli-6-5-r1.html

6. vSAN storage for Cloud Native Apps (CNA)

Integration with Photon means you can now use a vSAN cluster in a CNA enviroment managed by Photon Controller. In addition, now that vSphere Integrated Containers (VIC) is included with vSphere 6.5, you can now use vSAN as storage for the VIC engine. Finally Docker Volume Driver enables you to create and manage Docker container data volumes on vSAN.

For more information about vSAN 6.5, point your browsers to this great technical website: https://storagehub.vmware.com/#!/vmware-vsan/vmware-vsan-6-5-technical-overview

VMware badges – Acclaim

So my digital badges came through today from Acclaim….

A little part of me wishes that I had the time to do more VMware training and exams…… then reality sets in and I remember that I have a full time job, a mortgage to pay and a 14 month old baby!!

….. maybe in 18 years time when I get shot of the little one! ;oP

Guess these will sit nicely alongside my vExpert Badges!

What’s New in vSphere 6.5: vCenter management…

What’s New in vSphere 6.5: vCenter management clients – VMware vSphere Blog


What’s New in vSphere 6.5: vCenter management…

vSphere 6.5 brings with it significant changes to the vCenter Server management clients including the vSphere Web Client and new HTML5 based vSphere Client. A detailed FAQ can be found here in this KB article; a summary of the changes are given below in this blog post.


VMware Social Media Advocacy

VMware makes welcome changes in vSphere 6.5

So the 2nd and 3rd part of my vSphere 6.5 articles have made it onto the SearchVMware.com website… you can read about it here:

http://searchvmware.techtarget.com/tip/VMware-vSphere-65-puts-emphasis-on-security-applications

http://searchvmware.techtarget.com/tip/VMware-makes-welcome-changes-in-vSphere-65

 

You can read part 1 here: http://searchvmware.techtarget.com/tip/VMware-focuses-on-simplicity-in-vSphere-version-65

Network Virtualisation – The Answer to Data Centre Security

I’m always being asked to write something high-level about NSX, and for a techie I’ve always struggled to keep technology out of these types of articles.

As MTI are sponsoring and exhibiting at ESRM tomorrow, I was asked at the last minute whether I would like to write an article for ESRM’s blog regarding what MTI will be talking about on their stand.

Anyways, with such late notice I hope I’ve done NSX and MTI justice….

http://www.whitehallmedia.co.uk/esrm/uncategorized/network-virtualisation-answer-data-centre-security/