Skip to main content

Posts

Showing posts from 2019

All about NSX-T

I got very very awesome way to learn NSX-T so I just wanted to share with you guys. I erased all the content of my previous postbecause duplicating the text is not smart way and specially if it is already written in better way and by VMware. Just browse below link, login with your VMware account credentials (if you have already sign-up otherwise you need to sign-up first) and start exploring NSX-T because future is T. https://labs.hol.vmware.com/HOL/catalogs/enrollments/lab/NEE-049991_40988847_ Keep up the pace guys.. Thank you, Team vCloudNotes

NSX | Deny vs Reject

In NSX, while configuring firewall rules in Edge or in DFW, you might have noticed that there are three option while choosing any action for any incoming or outgoing packet. In DFW - it is Allow, Block and Reject In ESG - it is Accept, Deny and Reject Reject action sends following responses- RST packet for TCP Connection ICMP unreachable with network administratively prohibited code Deny action silently drops packet from or to the specified source and destination. For example, RTO. Feel free to ask any question folks. Thank you, Team vCloudNotes

NSX | What happens when.....

Since last few days, I was getting lots of questions like what happens when host down, control VM down or a controller down etc. Then I thought to list down all the cases but fortunately I found below VMware article which explain well about it. I hope you too will like it . Thank you, Team vCloudNotes

vROPS | How to get list of VMs with connected ISO files

Below vROPS view will help you to get a report having name of all those VMs which have connected CD-ROM and .iso file attached. This solution was given to one of the team who was struggling to find some way to have this kind of report.  Step 0: Login vROPS Step 1: Browse vROPS to create a view Step 2: Give it Name --> Presentation as "List" --> Subject as "Virtual machine" --> You can select Data as "Parent vCenter, Name and vcenter etc." Step 3: Now go to Filter button as shown in below image and configure as shown Now simply save the View and use it as you want. False: Means this view will show all VM which has connected CD-ROM drive True: Means VM where CD-ROM drive is disconnected One issue can be there that you might not see snipped option\metric for "Configuration|Security|Disconnected CD-ROM" because in some cases, it is not default activated and need to enable manually from vROPS policy. Tha

vCenter | Change Power Management Policy on all ESXi hosts

Hi Guys, To know in detail about Host Power Management Policy, click  here . In short, in production environment, it should be "High Performance" otherwise many issue may arise like latency while backing up a VM or VM was not responding between interval of time etc. So, if it is "Balanced" then it could be one of the reason. Right now, login your vCenter and check the power management policy and change it if it is not the appropriate one. Now, if you are changing this policy on hundreds of host then doing it manually can be a headache. Let use Powershell to get it done in a minute. #Start here Connect-VIServer vc1.mylab.net #of course to connect VC $view = (Get-VMHost | Get-View) (Get-View $view.ConfigManager.PowerSystem).ConfigurePowerPolicy(x) #End here in above commad ".ConfigurePowerPolicy(x)" is as below x= 1 ; for High Performance x=2  ; for Balance x=3  ; for Low Power x=4  ; Custom  Please note :  1. There is no downtime for t

ESXi | Error while backing up Configuration of ESXi host

This time I got a problem with ESXi host where team was getting and "Internal Server Error" while taking the backup of configuration of ESXi host. I checked and found that on that host folder "Downloads" was not there in Scratch partition. I simply SSH the host and created the folder with command "mkdir downloads" in scratch partition and taken the backup with below Powershell command successfully. #Start here Connect-VIServer vC1.mylab.net $folder = New-Item -ItemType Directory -Path "D:\Host configuration\$((Get-Date).ToString('yyyy-MM-dd'))" -Force Get-VMHost | Get-VMHostFirmware -BackupConfiguration -DestinationPath $folder #End here Thank you, Team vCloudNotes

NSX | All about control plane

When I was learning about NSX Control plane, I couldn't find all information in a single pane or page. Information was there but scattered. I thought to gather all the info and put it in below way. I found it better to learn in future.  Please don't shy to leave your feedback if you find it useful too. Below are the components of NSX control plan NSX Controller Cluster Control Plane Agent (netcpa) NSX Logical Router ControlVM Now Let's explore each of above in detail.  NSX Controller Cluster NSX controllers provide control plane functionality. Controllers distribute logical routing network information to ESXi hosts. It is responsible for updating ESXi host on the state of the logical network components. NSX cluster uses "Sharding" process to distribute workload across NSX controller cluster nodes. Sharding is the action of dividing the NSX controller workload into different shards so that each NSX controller instance has an equal porti

NSX | IP Discovery

Of course, NSX need to know the IP address of any VM and to find the IP address of any VM it uses below methods - VMware Tool installed on every VM - DHCP Snooping (Enabled on host cluster) - ARP Snooping (Enabled on host cluster) Multiple methods can be used to discover the IP and can be used in below operations\task by NSX Manger - Firewall Rules - Spoofguard IP Discovery with VMware Tools- VMware tools use thin agent that must be installed on each and every VMs which needs to be protected. Virtual Machine with installed VMware tool is automatically secured whenever they are started up on any ESXi host having NSX VIB installed. Protected virtual machines retains the security protection through shutdown and restart and even afrter vMotion move to another host with installed NSX VIBs. If Vmware tool is not installed then other methods can be used like DHCP and ARP snoopiong. IP Discovery with DHCP Snooping- As you already know that DHCP snooping can discover IP wi

PS | Automation can be dangerous!

Hi Folks, Everyone loves automation. It is very exciting to see that operations is happening automatically. But it will not take much to convert from excitement to graveyard regret if not executed in correctly or in a perfect manner. I would like to share one example where we were in process of upgrading all NSX edges. As per plan, we selected around 100 edges to upgrade first and then we had to wait for further approval and all. So we picked the powershell command and executed for those 100 edges. Command is very simple and one liner command. Nothing complex in that but..... A blank enter key created mess. Let's see how! Check the command first In that command, there is source file which is saved with .txt extension. In that file, edge ids needs to be mentioned. isn't it? Then execute the script. Very simple :) but what ruin the task is, in that .txt file, edge were mentioned like edge1 edge2 edge3 . . . and so on and nothing wrong. But in last row, t

NSX | Plan upgrade with care

Good Morning Folks, Purpose of this post is to make all of you aware about one of the supported feature of NSX which is no more supported started from version 6.4.4. Why specifically I am sharing it because it can be a good example on "How you should plan the upgrade". Feature is "Starting from 6.4.4, 3DES as an encryption algorithm in NSX Edge IPsec VPN service is no longer supported ." Now question is what does it mean and how it will impact production. What does it mean? Hope you know that in IPSec VPN tunnel there are two endpoints, one is local and other is remote. 3DES is encryption algorithm which we use to secure the connection between these two endpoints. In place of 3DES, we have AES, AES256 and AES-GCM. We have to select anyone of above because 3DES is no more supported or listed in nsx edge version 6.4.4. Why it is depreciated? Because it is not that strong. To elaborate, 3DES designed to auto-negotiate the encryption value to establish t

NSX | What is 3 and 5 tuple value?

This question was asked in one of my interview and I was not that knowledgeable to answer it at that time. I don't want anyone else (who learn NSX and my blog. I have no way to share it with all the world:)) to be unanswered on this question. With this thought, I am writing the answer below. It is very small thing but matter a lot while asked in an interview.   It refers to a set of three and five different values that comprise a TCP\IP connection. It include as shown below.   3-Tuple: The tuple (source IP address, destination IP address, ICMP Identifier). A 3-tuple uniquely identifies an ICMP Query session. When an ICMP Query session flows through a NAT64, each session has two different 3-tuples: one with IPv4 addresses and one with IPv6 addresses. 5-Tuple: The tuple (source IP address, source port, destination IP address, destination port, transport protocol). A 5-tuple uniquely identifies a UDP/TCP session. When a UDP/TCP s

PS | How to read content of any file inside GuestOS without logging in?

I am doing lot around powershell these day. Let's see one more Challenge given and provided solution. Basically, this challenge belongs to my last blog. Here I was asked to read the content of a file in a VM without accessing RDP. Sound interesting? isn't it? #Start here Connect-VIServer vCenter1 $VM = read-host "Enter VM Name " #here is the target vm name $Chpass = @" #below command will read and give output for entire file (Get-Content -Path C:\DRTask\vm-startup-regIpDns_v9.ps1 #below command will read line number 8 and will give you output     (Get-Content -Path C:\DRTask\vm-startup-regIpDns_v9.ps1 -TotalCount 8)[-1] "@ Invoke-VMScript -VM $VM -ScriptText $Chpass #-GuestUser "$user" -GuestPassword "$pass"  -ScriptType Powershell #Start here Below is output- I got the text in line number8 that that has the IP address in file inside the guest OS. Basically it read the file with the help of VMware tools in vcent

Powershell | Transfer file into VM

Hi Guys, I hope that this post will help many because everyone once in their career might encounter this issue. The issue is, "RDP for this VM is not working\allowed, how can I transfer this file into this VM". I have seen many guys facing this issue, So, below is the solution #start here clear $VC = Read-Host "Enter the IP address\fqdn of vCenter server" Connect-VIServer $VC Write-Host "Enter the requested info please" -ForegroundColor Cyan Function Collectdata{ Write-Host "Enter the path of source file. For example, C:\temp\transferfile.txt" $source = Read-Host "Enter the path here" Write-Host "Enter the destination folder in VM where you want to copy above file. For example, C:\temp" $dest = Read-host "enter the destination folder path here" $VM = Read-Host "Enter the VM Name" $user = Read-Host "Enter the username" $pass = Read-Host "enter password" -AsSecureString Write-Host "Th

Powershell | Modify password for user account inside GuestOS of a VM

Today I got this challenge and I did it in below way- #Start here $VC = Read-host "Enter your vCenter server name\IP " Connect-VIServer $VC $vmName = Read-host "Enter the target VM Name in vCenter " $UN = read-host "Enter the target username " $pswd = 'Password' #Enter password here which you want to set in '' mark $Chpass = @" `$securePswd = ConvertTo-SecureString -AsPlainText -String $pswd -Force Get-LocalUser -Name $newUser | Set-LocalUser  -Password `$securePswd -Confirm:`$false "@ Invoke-VMScript -VM TestVM -ScriptText $Chpass -GuestUser "$UN" -GuestPassword "Asdf@1234" -ScriptType Powershell | Select -ExpandProperty scriptoutput #End here Please note that - "Asdf@1234" is existing password of the guestOS In case any error, do let me know, will surely help you out Thank you, Team vCloudNotes

NSX | Bit about Firewall

Types of Firewall rules based on protocols and security layer- General Rules - These rules are applied to the L3, L4 and L7 protocols and fields such as IP addresses, TCP\UDP port numbers and APP-IDs. In addition, vCenter attributes like datacenters and resource pools can be part of the group. Ethernet Rules - These rules can define a set of MAC addresses as source or destination and enforce policy on L2 protocols. Ethernet rules are enforced before General rules. Partner Security Services - These rules can define traffic flows to be redirected to partner solutions for additional network introspection. Firewall rules are managed in centralized manner. Each traffic session is checked against the top rule in firewall table before moving down the subsequent rule in the table. The first rule in the table that matches the traffic parameter is enforced Types of Firewall rules based on where and who creates them- user-defined rules : rules created by administrators Internal ru

[Update] Powershell

Hi Guys, I am still working on the idea to create a Centralize tool for many vCenter Operational tasks with the help of powershell in a time efficient way. I have divided it into three category. Get or Search Engine ....................In Progress Set or operations Engine ...............To be initiated Deploy and Automation Engine.... To be initiated Below is the updated glimpse of the work- Please give your ideas to make it more exhaustive. I will share once all three steps will be completed. Thank you, Team vCloudNotes

NSX | How NSX provide more security to datacenters?

It secure the data center by addressing one of the key issues in traditional security solutions, which are as below- 1. NSX has visibility not only on virtual datacenter components like VM, ESXi host, portgroups but also within Guest-OS, application and its service hence secure SDDC not only from external attacks but also from within vulnerabilities. Here we know something known as Micro-Segmentation. For example: if once VM is infected with some viruses\malware or any other malicious software then NSX block the VM and don't allow it to infect other VMs. Below is reference snippet. First image(from left) is for traditional datacenter and with traditional security. Second image is with NSX 2. It don't need any in Guest Antivirus agent. Separate antivirus solution is not required if you have Guest-Introspection enabled with NSX.  Explanation: I have 10 ESXi host in a cluster and 100 VMs. I'll just prepare my ESXi Host for NSX (Let me know if you wa

NSX | Service Composer

Below is the excellent article on Service composer in NSX. Very well explained and to the point detail. Read it completely and feel free to start any discussion. https://blogs.vmware.com/consulting/tag/nsx-service-composer Thank you, Team vCloudNotes

vROPS | Custom Groups

It helps to group scattered VMs across multiple datacenters but belongs to same entity. To elaborate, Goal - I want to have a heatmap dashboard for all VMs of my client and in a single pane. Challenge - My client's VMs are scattered around 4 data centers and in multiple folders and it is on vCloud Director platform. But vROPS will not be able to show the data in single pane of view because VMs are spread across and not in a single container. Solution - Create Custom Group to monitor all those in a single pane of view. It will create a single container to give dashboard a source object to monitor and give the data. Let's see how to do that... My vROPS Version is 7.0.0. Step 0:  Login vROPS. Of course :) Step 1: Click on "Environment" tab - Click on "Custom Groups" Under Groups and applications and then click on Green (+) icon Step 2: Follow the below- Name  - Type any name here. I will give it vCloudGroup Group Type - Select the group

Python | Web page automation with Selenium

Below example is to auto-login in web-page. Already there are lots of websites sharing the same but I would like to have all the info at one place(Because this is my vCloud Notes) :) #Start here from selenium import webdriver  #Install the selenium package from selenium.webdriver.common.by import By import time import selenium, os, time from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.common.keys import Keys from selenium.webdriver.common import keys import pyautogui baseUrl = "Enter URL here" exepath = 'C:\\Python\\geckodriver.exe' # download and save geckodriver (for firefox)in this location. For chrome it is different one. driver = webdriver.Firefox(executable_path=exepath) driver.get(baseUrl) time.sleep(7) username = driver.find_element(By.XPATH, "//input[@name='username']").send_keys("gjohar") password = driver.find_element(By.XPATH, "//input[@name='password

Happy Diwali Folks

NSX | MicroSegmentation

Micro-segmentation is a fancy term, basically it is kind of next level security provided by NSX. It is well known as "Micro" because it helps us to control the traffic flow even from a vNIC. This Micro-segmentation basically we achieve by DFW that is Distributed Firewall. Internet is already flooded with lots of articles and documentation on it. But here I will just simplify the things, but only for those who at least knows that what is NSX :) How to apply it- Step 0:  Login vCenter server and go to Networking and Security plugin Step 1: Create Security groups between which you want to apply the policy. It doesn't mean that it is possible only with security groups. You can apply the firewall policy between two VMs, portgroups, IP address, SGs, vAPPs etc. it is just and example. Step 2: Create required firewall rules and apply on security groups Step 3: It is done Steps explained- Let's say I want to apply security between APP and Web VMs. I will cre

vROPS | Health Check of cluster

Sometime we have to check the cluster health. In terms of database size, collected metrics size etc.. for that I have a script which gives you very beautiful view of each and every thing of all the vrops cluster nodes. Run the script and you see it by yourself. Step 1: Login vrops master node with root Step 2: Copy below script and paste in CLI interface of vROPS   echo -e "\e[1;31mHOSTNAME:\e[0m" > $HOSTNAME-status.txt | hostname >> $HOSTNAME-status.txt;getent hosts | nslookup >> $HOSTNAME-status.txt; uname -a >> $HOSTNAME-status.txt; echo -e "\e[1;31mDNS CONFIGURATION:\e[0m" >> $HOSTNAME-status.txt | cat /etc/resolv.conf >> $HOSTNAME-status.txt; cat /etc/hosts >> $HOSTNAME-status.txt; echo -e "\e[1;31mVERSION INFO:\e[0m" >> $HOSTNAME-status.txt | cat /usr/lib/vmware-vcops/user/conf/lastbuildversion.txt >> $HOSTNAME-status.txt; echo -e "" >> $HOSTNAME-status.txt;cat /etc/SuSE-rel