Requirements (business, functional, technical) Goal Business Case Requirements Compliance rules Manage Expectations End User Customer Subject Matter Experts Stakeholders Current Environment Knowledge and experience Applications Physical environment Networking Virtualization environment Training needed Project Scope Budget Schedule Reusable?
Doel (wat) Business Case (waarom) Vereisten Vereisten (business, functional, technical) Compliance rules Verwachtingsmanagement Eindgebruiker Klant Subject Matter Experts Stakeholders Huidige omgeving Kennis en ervaring Applicaties Fysieke omgeving Netwerken Virtuele omgeving Herbruikbaar? Training nodig Project Bereik Budget Planning (wanneer)
Load-Balancing Method: Originating Virtual Port ID virtual switch physical switch virtual NICs physical NICs 5- #
Load-Balancing Method: Source MAC Hash Internet virtual switch physical switch virtual NICs physical NICs 5- #
Load-Balancing Method: IP-Hash Internet virtual switch physical switch virtual NICs physical NICs 5- #
Standard Switch and Distributed Switch Feature Comparison Feature Standard switch Distributed switch Layer 2 switch VLAN segmentation IPv6 support 802.1Q tagging NIC teaming Outbound traffic shaping Inbound traffic shaping Configuration backup and restore Private VLANs Link aggregation control protocol Data center-level management Network vsphere vmotion VMware vsphere Network I/O Control Per-port policy settings Port state monitoring NetFlow Port mirroring VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Private VLANs A private VLAN is: An extension to the VLAN standard Further segmentation of a single VLAN into secondary private VLANs A secondary private VLAN: Exists only in the primary VLAN Shares the same IP network address Is identified on the physical and distributed switches by a unique VLAN ID VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Types of Secondary Private VLANs Three types of secondary private VLANs: Promiscuous Isolated Community The type of secondary private VLAN determines packet forwarding rules. Primary Secondary Type 5 5 promiscuous 5 155 isolated 5 17 community VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Promiscuous Private VLANs Primary Secondary Type 5 5 promiscuous VM 1 5 155 isolated 5 17 community VM 2 A node attached to a port in a promiscuous secondary private VLAN can send and receive packets to any node in any other secondary private VLAN associated with the same primary. Routers are typically attached to promiscuous ports. 5 VM 6 155 17 VM 5 VM 3 VM 4 VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Isolated Private VLANs Primary Secondary Type 5 5 promiscuous VM 1 5 155 isolated 5 17 community VM 2 A node attached to a port in an isolated secondary private VLAN can send to and receive packets only from the promiscuous private VLAN. Only one isolated secondary private VLAN is permitted per primary. 5 VM 6 155 17 VM 5 VM 4 VM 3 VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Community Private VLANs Primary Secondary Type 5 5 promiscuous VM 1 5 155 isolated 5 17 community VM 2 A node attached to a port in a community secondary private VLAN can send to and receive packets from other ports in the same secondary private VLAN as well as ports in the promiscuous private VLAN. 5 VM 6 155 17 VM 5 VM 3 VM 4 VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Physical Switch Implementation of Private VLANs Standard 802.1Q tagging No double encapsulation Physical switch software decides which ports to forward the frame to, based on the tag and the private VLAN tables. Primary Secondary Type 5 5 promiscuous 5 155 isolated 5 17 community For private VLANs, the VLAN ID is the secondary ID. distributed switch 5 5 155 17 VLAN 5 Private VLAN 5 (promiscuous) Private VLAN 155 (isolated) Private VLAN 17 (community) VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Private VLANs and Physical Switches Frames that travel are tagged with the secondary ID. Each virtual machine can send to and receive from different secondary private VLANs. Examples: community and promiscuous A physical switch can be confused by the fact that each MAC address is visible in more than one VLAN tag A physical switch must have a trunk port to the VMware ESXi host and not be in a secondary private VLAN. Most private VLAN problems are caused by physical switches that are configured incorrectly. Compare the private VLAN map in the physical switch to the private VLAN configuration in the distributed switch. VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Private VLAN-Aware Physical Switch A virtual machine in a promiscuous private VLAN sends an ARP request for a virtual machine in an isolated private VLAN. The target virtual machine is on a different ESXi host. The physical switch is private VLAN-aware. ARP request tag: 5 ARP request tag: none Promiscuous ARP reply tag: none ARP reply tag: 155 5 155 Distributed Switch ARP request tag: 5 ARP reply tag: 155 Switch ports that see the same MAC address through different VLAN tags Private VLAN logic detects that the destination is isolated, so it acts as if the tag were 155. Isolated ARP reply tag: none ARP request tag: none Primary Secondary Type 5 5 promisc 5 155 isolated 5 17 comm VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Configuring and Assigning Private VLANs Configure Select the distributed switch and select Private VLN > Edit. Assign Right-click the distributed port group, select Edit Settings, and select VLAN. VMware vsphere: Optimize and Scale 2014 VMware Inc. All rights reserved
Lesson 4: vcenter Single Sign-On
Learner Objectives By the end of this lesson, you should be able to meet the following objectives: Describe the features and benefits of VMware vcenter Single Sign-On Describe the vcenter Single Sign-On architecture Define the vcenter Single Sign-On deployment modes List the options for protecting vcenter Single Sign-On Describe how to install vcenter Single Sign-On Describe how to configure vcenter Single Sign-On Use vcenter Single Sign-On to create users and assign roles
About vcenter Single Sign-On vcenter Single Sign-On is an authentication service that secures the VMware cloud infrastructure platform. vcenter Single Sign-On allows vsphere software components to communicate with each other through a secure token mechanism. vsphere Web Client AD Open LDAP vcenter Single Sign-On Identity sources vcenter Server VMware vcenter Orchestrator VMware vcloud Director
Benefits of vcenter Single Sign-On vcenter Single Sign-On has the following benefits: Faster operations and a less complex authentication process Ability of vsphere solutions to trust each other without requiring authentication every time a solution is accessed An architecture that supports multi-instance and multisite configurations that provide for single-solution authentication across the entire environment
Features of vcenter Single Sign-On vcenter Single Sign-On has the following features: Support for open standards Support for multiple user repositories, including Active Directory and OpenLDAP Ability for users to see all vcenter Server instances for which they have permission No need to use vcenter Linked Mode for unified views of vcenter Server instances
How vcenter Single Sign-On Works When logging in to vsphere, authentication is passed to vcenter Single Sign-On. On successful authentication, a security token is used to access vsphere components. 1 2 Security Token Service vcenter Single Sign-On Server Admin Service 5 Identity Manager Service (IDM) VMware Directory Service (vmdir) IDM Client 3 4 6 vcenter Lookup Service AD Open LDAP vcenter Server
About Identity Sources and the Default Domain Identity source: A repository for users and groups that vcenter Single Sign-On can use for user authentication Usually a directory service like Active Directory or Open LDAP Provides a means to attach one or more domains to vcenter Single Sign-On Default domain: Used by vcenter Single Sign-On to authenticate users when the user logs in without a domain name. One system identity source named vsphere.local is created when you install vcenter Single Sign-On. vsphere.local is the default domain.
Supported Identity Sources Identity Source Description Name in vsphere Web Client Active Directory Active Directory Only one Active Directory domain as an versions 2003 and (Integrated Windows identity source is allowed. later Authentication) Active Directory over LDAP This identity source is included mainly for compatibility with version 5.1 of vcenter Single Sign-On. Active Directory as an LDAP Server OpenLDAP versions 2.4 and later Local operating system users vcenter Single Sign- On users Multiple OpenLDAP identity sources are allowed. This identity source exists only in basic mode deployments, not in multisite mode or high availability mode deployments. This identity source is created during the install. OpenLDAP localos vsphere.local
vcenter Single Sign-On Architecture vcenter Single Sign-On components are deployed as part of the installation. vcenter Single Sign-On Server Security Token Service Admin Service Identity Manager Client Identity Manager Service VMware Directory Service (vmdir) vcenter Lookup Service AD Open LDAP vcenter Server vcenter Server vcenter Orchestrator vcloud Director
About vcenter Single Sign-On Deployment Modes vcenter Server provides several ways to deploy vcenter Single Sign-On to best serve your vsphere environment. You can deploy vcenter Single Sign-On in one of the following modes: Basic Multiple vcenter Single Sign-On instances in the same location Multiple vcenter Single Sign-On instances in different locations
Basic Deployment Mode Basic mode is the most common deployment option. You usually use the Simple Install option to deploy vcenter Server with vcenter Single Sign-On in basic mode. Basic mode is appropriate for the following scenarios: You have a single vcenter Server instance of an inventory size of up to 1,000 hosts or 10,000 virtual machines. You have geographically dispersed vcenter Server instances that are administered independently of each other. You are using vcenter Server Appliance. vsphere Web Client vcenter Server vcenter Inventory Service vcenter Single Sign-On Windows vcenter Server system or vcenter Server Appliance
Multiple Single Sign-On Instances in the Same Location This deployment mode provides high availability for your vcenter Single Sign-On environment. Use this mode if you do not plan to use VMware vsphere High Availability or VMware vcenter Server Heartbeat, but high availability of the vcenter Single Sign-On server is required. vcenter Single Sign-On vmdir Network Load Balancer Synchronized vsphere Web Client vcenter Server vcenter Inventory Service vcenter Single Sign-On vmdir
Multiple Single Sign-On Instances in Multiple Locations This mode is required when you have geographically dispersed vcenter Server systems and you must administer these instances in Linked Mode. New York Virginia vsphere Web Client vsphere Web Client vcenter Server vcenter Server vcenter Inventory Service vcenter Inventory Service vcenter Single Sign-On vmdir Synchronized vmdir vcenter Single Sign-On
Protecting vcenter Single Sign-On vsphere provides several ways to ensure the availability of your vsphere deployment with vcenter Single Sign-On. Option Description Recovery Time Required Backup and restore Solution must be independent of vcenter Server. Recovery requires manual intervention. Hours or days vsphere HA vcenter Server Heartbeat vcenter Server Single Sign-On high availability mode vsphere feature for maintaining uptime of virtual machines and detecting ESXi host failure Separately licensed vcenter Server plug-in provides vcenter Server protection (physical or virtual) and can protect against host failure. Primary vcenter Single Sign-On instance paired with a second vcenter Single Sign-On instance Minutes Minutes Seconds
Installing vcenter Single Sign-On Using the VMware vcenter Installer: Use the Simple Install option to deploy basic mode. Use the Custom Install option to install multisite or high availability mode. During the custom install, you are prompted to select a deployment mode: Primary Node High availability Multisite