Section 3 – Create a vSphere Physical Design from an Existing Logical Design
Objective 3.1 – Transition from a Logical Design to a vSphere 5.x Physical Design
Skills and Abilities
1. Determine and explain design decisions and options selected from the logical design.
The main drivers behind my design decisions were cost and the space requirements, this is why I opted for the HP Micro Servers and the TP-Link Smart switch, they are relatively inexpensive, energy efficient and will take up very little space.
2. Build functional requirements into the physical design.
One of my functional requirements is that VLAN tagging needs to be available, I opted for the Asus RT-AC68U wireless router, not only because it’s an awesome piece of kit but I intend to flash it with Tomato or DD-WRT (research ongoing) which should allow me to enable VLAN tagging.
3. Given a logical design, create a physical design taking into account requirements, assumptions and constraints.
Nothing to add here.
4. Given the operational structure of an organization, identify the appropriate management tools and roles for each staff member.
Management tools were covered in an earlier objective e.g. VMA, Web Client, PowerCLI etc….
Below are predefined roles but new roles can be created to satisfy security requirements.No Access
- Read Only
- Virtual Machine Power User
- Virtual Machine User
- Resource Pool Administrator
- Datastore Consumer
- Network Consumer
Objective 3.2 – Create a vSphere 5.x Physical Network Design from an Existing Logical Design
1. Describe VLAN options, including Private VLANs, with respect to virtual and physical switches.
I’ve borrowed some of the material below from the excellent BrownBag VCAP DCD Study outline as they’ve already done a great job of covering the major points.
- VLANs – feature of both vSS & vDS; 3 types = EST, VST (default), VGT
- PVLANs – vDS capability (virtual); Primary = Promiscuous, Secondary =Community, Isolated
- pSwitches = need Trunk port(s) configured; if possible, enable LinkState and disable Native VLAN mode
2. Describe switch-specific settings for ESXi-facing ports, including but not limited to:
- Jumbo Frames
- STP – disable on physical switch
- Jumbo Frames – enable end to end on storage/network path.
- Load- Balancing NIC Teaming; Route based on Originating Virtual Port ID
- Trunking – VLAN Tagging;enable on physical switch when using VLAN
3. Describe network redundancy considerations at each individual component level.
- Management network – utilize active/standby vmnics (pNICs)
- 2 vSwitches & 2 Mgmt Netwks (1 on ea vSwitch) OR, 1 Mgmt Netwk with 2 pNICs
- Dual physical switches
- Multiple pNICs within hosts
- Multipathing for storage (HBAs)
4. Cite virtual switch security policies and settings
- Failback = yes; mitigates false positive of a phys switch being active when it’s still down
- Notify Switches = yes
- VM Network traffic – configure pNICs for Port Group in Active/Active
- IP Storage: segregate from VM traffic using VLANs; NFS export (/etc/export); iSCSI CHAP
- MAC Address Change – REJECT; if using iSCSI set to ACCEPT
- Forged Transmits – REJECT; prevents MAC impersonationPromiscuous Mode – REJECT
- IPSec – authentication & encryption on packets
- Disable native VLAN use on pSwitches to prevent VLAN hopping
Skills and Abilities
5. Based on the service catalog and given functional requirements, for each service:
- Determine the most appropriate networking technologies for the design.
- Implement the service based on the required infrastructure qualities (AMPRS).
- vSS vs vDS – small or relatively large infrastructure? – In my case I will be using a hybrid solution of vSS for management, vMotion and FT and the vDS for VM and NFS traffic.
- VLANs or not -meet compliance or SLAs by segregating traffic, I will be using VLANs.
- .IP Storage? – jumbo frames configured, I intend to use NFS based storage but will not be enabling jumbo frames as my switch does not support it.
- M y networking will be 1GbE
6. Determine and explain the selected network teaming and failover solution.
- Default Team = Route based on originating virtual port ID ; also, originating MAC; IP Hash, I’ll be using route based on originating virtual port ID
- Default Failover = Use Explicit Failover
7. Implement logical Trust Zones using network security/firewall technologies.
This was covered in the security section.
8. Based on service level requirements, determine appropriate network performance characteristics.
Taken from VMware vDS best practices.
9. Given a current network configuration as well as technical requirements and constraints, determine the appropriate virtual switch solution:
- vSphere Standard Switch
- vSphere Distributed Switch
- Third-party solutions (ex. Nexus 1000V)
- Hybrid solution
- vSS -used for smaller environments
- vDS -easier mgmt/administration; centralized; larger environments; req’s Ent+
- 3rd Party (Nexus 1000v) -considerations needed on what is supported (i.e. vShield, iSCSI, Host Profiles, AppSpeed, vDR, Multipathing – no support DPM, -no support, SRM
- Hybrid – used so connectivity can be continued if vCener goes down (needed for vDS); when mixing ESX (w/Serv Cons) & ESXi (Mgmt Netwks)
- Cisco PDF listing feature comparison of vSS, vDS, &Nexus http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/solution_overview_c22-526262.pdf; based on business requirements, you can compare the switches and determine which is best (budget may be a constraint for purchase of 3rd party switch as well as vSphere Edition needed
10. Based on an existing logical design, determine appropriate host networking resources.
Based on requirements, budget, constraints etc etc…
11. Properly apply converged networking considering VMware best practices.
- Using 10GbE cards and consolidating traffic on 1 card, using 2nd for redundancy
- Recommended (if licensed for it) to use NIOC (on vDS) for QoS on traffic type