How to Upgrade from Windows vCenter 5.5 to VCSA 6.5 including SRM

In last couple of days, I heard this question many times for below scenario. Since 5.5 is about to expire this month, so IT admins are upgrading their environment to new version of vSphere. Though going directly to 6.7 is something that do not meet N-1 requirement for most of the environment. Hence most of the admin prefers to put environment on vSphere 6.5.

Very first question everyone think about is –

  • Does upgradation path from vCenter 5.5 to VCSA 6.5 is supported? Answer is YES.
  • Does upgradation path from VMware SRM 5.8.1 to 6.5 is supported? Answer is NO. You need to upgrade VMware SRM 5.8.1 to 6.0 or 6.1.2, and then upgrade SRM 6.0 to 6.5.

Here we have details of existing environment and requirement which need to meet.

Existing Environment: –

  • Windows based vCenter Server – Version 5.5
  • Site Recovery Manager – Version 5.8
  • Replication Type in SRM – vSphere Replication

Requirement: –

  • Appliance based vCenter Server (VCSA) – Version 6.5
  • Site Recovery Manager – Version 6.5
  • Replication Type in SRM – vSphere Replication

Sequence to upgrade Windows based vCenter 5.5 to VCSA 6.5: –

SRM

If you are planning to upgrade your vSphere environment, follow this order to upgrade vCenter server, SRM, and vSphere Replication.

Overview of Upgrade order: –

  • Since vCenter server 5.5 doesnt have PSC server, you need to make sure that you install PSC when prior to upgrade vCenter server.
  • Upgrade PSC and vCenter Server in Protected Site.
  • Upgrade vSphere Replication appliance in Protected Site.
  • Upgrade Site Recovery Manager in Protected Site.
  • Perform the same steps in Recovery Site.
  • If you are using array based replication in SRM, you need to upgrade SRA in both site.
  • Once up gradation sequence has been done, verify vCenter server and SRM sites status.
  • Upgrade ESXi host in both protected and recovery sites.

Step by Step Guide to Upgrade vSphere Environment: –

Prerequisites: –

  • Download vCenter Server Appliance ISO image, VMware SRM 6.5 setup, and vSphere Replication appliance from VMware download portal.
  • Ensure that you have a windows machine from where you will initiate the installation.
  • Ensure to get SSO credentials and VCDB and SRM DB database handy.
  • Note down the details of ESXi Host where you will deploy VCSA appliance.
  • If you want to use the same name of vCenter Server which you are using currently, you need to rename windows vCenter VM with alternate name.
  • If you are using VMware SRM 5.8.1, then you need to upgrade it to VMware SRM 6.0 and then you can upgrade it to Vmware SRM 6.5.

vCenter Server Upgrade: –

There are two stage process to upgrade vCenter Server.

  1. Deployment of VCSA
  2. Migration of Windows vCenter Data to newly deployed VCSA.

The-VCSA-6.5-Stages

Stage 1:

  • Now mount VCSA image ISO in any windows machine. Explore the ISO folder and navigate to VMware-Migration-Assistant.exe. Right click and click on Run as Administrator.
  • Follow the steps and provide SSO credentials.
  • Once you will get black screen with a message – Waiting for migration to Start, Switch to ISO folder again.
  • Go to vcsa-ui-installer/win32 folder and click on Installer and Run as administrator.
  • On windows screen, you will get four options.
    • Install
    • Upgrade
    • Migrate
    • Restore
  • Click on Migrate and follow the steps to complete the deployment of VCSA.

Stage 2:

  • Once deployment gets complete, you need to switch to stage 2. Here you need to migrate existing windows vCenter server data to VCSA.
  • During the data migration the Windows vCenter will be shutdown and the VCSA will be configured with its IP address.
  • Follow the steps and complete stage 2. Now you can access vCenter server using Web client.

 

Upgrade vSphere Replication Appliance: –

Download vSphere replication appliance and upgrade appliance by following below VMware document.

https://docs.vmware.com/en/vSphere-Replication/6.5/com.vmware.vsphere.replication-admin.doc/GUID-30083484-FB13-485E-AEC9-0695EADB7B3D.html

Upgrade VMware Site Recovery Manager: –

Follow below article to upgrade VMware Site Recovery Manager.

https://docs.vmware.com/en/Site-Recovery-Manager/6.5/com.vmware.srm.install_config.doc/GUID-4642FBA0-6D25-4B68-912A-1BDD8D02EF00.html

 

 

 

 

 

 

Exploring VMware vSphere Platinum

Hey All, Good Day! I hope you are getting some fruitful articles over here.

Today We are going to explore VMware vSphere Platinum and vSphere 6.7 Update 1 which VMware has introduced today itself. While checking the updates on Day 1 of VMworld 2018, I came to know of this announcement so thought to write a blog on this.

This article is specific to VMware vSphere Platinum and I am not going to touch vSphere 6.7 Update 1 here. I will cover that in next topic.

First Question! What is vSphere Platinum ?

vsphere platinum

vSphere Platinum is new edition of vSphere which delivers advanced security capabilities fully integrated into the hypervisor. It has capabilities of vSphere with VMware AppDefense, delivering purpose-built VMs to secure applications.

There are lot of challenges related to IT security which customer keeps more focus. vSphere Platinum secures infrastructure and applications by leveraging the hypervisor and the power of machine learning in a way that is built-in, operationally simple, and with minimal overhead or impact on performance. vSphere Platinum allows the vSphere Admin to deliver secure infrastructure and applications by enabling virtual machines to run in a “known good” state.

Role of VMware AppDefenese: –

Vmware appdefense cloud pathshala

As you know that every day we come across with the new threat in IT infrastructure, here vSphere Platinum help out to address the in-guest threats. VMware AppDefense which is core feature and included in vSphere Platinum. It provides the capabilities to protect applications running on vSphere.

vSphere Provides the followings to the VMware Admins: –

  • Secures Applications, Infrastructure, Data
  • Enables a simple and powerful way to maintain existing workflows
  • Using vSphere platinum you will have visibility into the intent of each virtual machine, and a detailed inventory of application assets and context.
  • Understand how applications behave and be alerted to potential issues and deviations.
  • Reduce the attack surface and reduce the risk of security compromise.
  • Establish a simple and powerful way to collaborate with security, compliance and application teams.
  • You do not need any agent to manage.
  • Use what you already own, understand, and run in your data center – vSphere – with its unique visibility, automation and isolation qualities.

vsphere platinium cloud pathshala

There are other benefits for Security Admins: –

  • Better visibility and situational awareness of application behaviors, and virtual machine purpose.
  • Faster detection, analysis, and time to response – quickly understand attacks and make fast decisions using application context and scope.
  • Enhance existing security tools and support compliance efforts through contextual visibility and alerts into application communications and deviations.
  • Lower false positives
  • Big data correlation for better identification and context using cloud SaaS model.
  • Support DevOps environment through continuous learning and protection.
  • Easily Coordinate with vSphere Admins and Application teams for better security.

Features and Capabilities of vSphere Platinum: –

vsphere platinum capabiliteis

 

That’s all from this article. We will explore more in next articles.

Share if you found it useful.

 

 

vSphere 6.7 ICM – Topic 9.1 – Explain the vSphere HA architecture

Downtime is something which always costs to company. VMware  helps to reduce downtime at each layer.

  1. Component Level (NIC multi-pathing ,storage multi-pathing)
  2. Server level(vMotion and DRS)
  3. Storage level (sDRS)

Similarly vSphere HA provides a base level of protection for your virtual machines by restarting virtual machines in the event of a host failure. vSphere HA is configured  on multiple ESXi hosts cluster to provide quick recovery in case of outage. vSphere give HA as cost effective solution for high availability  for the application running on virtual machine. HA protects against:

  • Host failure
  • Data store accessibility issue.
  • virtual machine against network isolation
  • Application failure.

Hosts in the cluster are monitored and in the event of a failure, the virtual machines on a failed host get restarted on alternate hosts with in the cluster.

When you create a vSphere HA cluster, a single host is automatically elected as the master host. The master host communicates with vCenter Server and monitors the state of all protected virtual machines and of the slave hosts. Different types of host failures are possible, and the master host must detect and appropriately deal with the failure. The master host must distinguish between a failed host and one that is in a network partition or that has become network isolated. The master host uses network and datastore heartbeating to determine the type of failure.

Master and Subordinate Hosts

When you add a host to a vSphere HA cluster, an agent (Fault Domain Manager (FDM)) is uploaded to the host and configured to communicate with other agents in the cluster. Each host in the cluster functions as a master host or a subordinate host. After the FDM agents have started, the cluster hosts are said to be in a fault domain.Hosts cannot participate in a fault domain if they are in maintenance mode, standby mode, or disconnected from vCenter Server.

As discussed above when vSphere HA is enabled for a cluster, all active hosts participate in an election to choose the cluster’s master host. The host that mounts the greatest number of datastores has an advantage in the election.If more than one cluster hosts see the same number of datastores, the election process determines the master host by using the host managed object ID (MOID) assigned by vCenter Server.

If the master host fails, is shut down or put in standby mode, or is removed from the cluster a new election is held.

The master host in a cluster has several responsibilities:

  • Monitoring the state of subordinate hosts. If a subordinate host fails or becomes unreachable, the master host identifies which virtual machines must be restarted.

  • Monitoring the power state of all protected virtual machines. If one virtual machine fails, the master host ensures that it is restarted. Using a local placement engine, the master host also determines where the restart takes place.

  • Managing the lists of cluster hosts and protected virtual machines.

  • Acting as the vCenter Server management interface to the cluster and reporting the cluster health state.

The subordinate hosts primarily contribute to the cluster by running virtual machines locally, monitoring their runtime states, and reporting state updates to the master host. A master host can also run and monitor virtual machines.

Master host is responsible to orchestrate restarts of protected virtual machines. A virtual machine is protected by a master host after vCenter Server observes that the virtual machine’s power state has changed from powered off to powered on in response to a user action. The master host persists the list of protected virtual machines in the cluster’s datastores. A newly elected master host uses this information to determine which virtual machines to protect.

Network Heartbeats

Master hosts send heartbeats periodically to subordinate hosts to know that master is live. Slave host communicate to master via management network.If the slave host does not respond within predefined timeout period, the master host declares the slave host as agent unreachable. When a slave host is not responding, the master host attempts to
determine the cause of the slave host’s inability to respond.

Datastore Heartbeats

The datastore heartbeats are used to make the distinction between a failed and isolated or partitioned
host. vSphere HA tries to restart virtual machines only in one of these situations:
• A host has failed (no network heartbeats, no ping, no datastore heartbeats).
• A host becomes isolated and the cluster’s configured host isolation response is Power off or Shut down.

Virtual Machine Component Protection

VMCP provides protection against datastore accessibility failures that can affect a virtual machine  running on a host in a vSphere HA cluster. When a datastore accessibility failure occurs, the affected host can no longer access the storage path for a specific datastore. You can determine the response that vSphere HA will make to such a failure, ranging from the creation of event alarms to virtual machine restarts on other hosts.
Only vSphere HA clusters that contain ESXi 6 hosts can be used to enable VMCP. Clusters that contain hosts from an earlier release cannot enable VMCP. Such hosts cannot be added to a cluster enabled for VMCP.

Proactive HA Failures

A Proactive HA failure occurs when a host component fails, which results in a loss of redundancy or a noncatastrophic failure. However, the functional behavior of the VMs residing on the host is not yet affected. For example, if a power supply on the host fails, but other power supplies are available, that is a Proactive HA failure.

If a Proactive HA failure occurs, you can automate the remediation action taken in the vSphere Availability section of the vSphere Client. The VMs on the affected host can be evacuated to other hosts and the host is either placed in Quarantine mode or Maintenance mode.

How to Assign License Key in vCenter Server 6.5

Please follow mentioned steps

  1. Login to Virtual Center using Web or vSphere Client.
  2. On top of console, you can see the note saying that licenses in our inventory either expired or not available.
  3. Go to Home > Click on Licenses under Administration Tab
  4. Click on Manage your Licenses in Getting Started Tab or Go to Licenses Tab.
  5. Click on + icon to Create New Licenses.
  6. Enter the vCenter Server 6.x Standard license key and press Enter to add a new line.
  7. Enter the vSphere 6.x Standard license key(For ESXi), and click Next.
  8. Label the license keys as per your convenient. Click on Next.

vSphere 6.7 ICM – Topic 6.5 – Put VMFS datastore in Maintenance Mode

Happy Thursday to all!  Hope your learning is going just fine.

Remember “First you learn and then you remove the letter “e” from  word learn” !

This blog is mainly aiming on how to put a VMFS datastore in Maintenance mode.

Points to Cover–

  1. How to put datastore maintenance mode.
  2. How to ensure that production doesn’t impact while putting in maintenance mode.

In our LAB we have webclient session to vCenter.

  • Set the view at datastore level from left pane.
  • Choose the datastore on the left that you want to put in maintenance.

2018-07-28 17_38_40-vSphere - cp-ds-02-g - Summary.jpg

 

Once the datastore has been put in maintenance mode.

  • Right click the datastore and move the mouse over “Maintenance Mode”.

Though Vmware has a very stable code to detect if any productions VMs are running on the datastore or not. However, it is recommended to do a health check before putting a datastore in Maintenance. For example-  VMs need to be migrated off  from the targeted datastore.  Any ISO inside that datastore shouldn’t me mounted on a running VM.2018-07-28 17_38_43-vSphere - cp-ds-02-g - Summary.jpg

 

Once the datastore has been put in maintenance mode. It shows the datastore status as shown as below. See the ICON how it changed !

2018-07-28 17_39_00-vSphere - cp-ds-02-g - Summary.jpg

vSphere 6.7 ICM – Topic 5.2 – Configure virtual switch security , traffic -shaping and load -balancing policies

Continuing to vSphere 6.7 Install, Configure, and Manage modules, today we are going to cover vSphere networking which is one of the tough parts to know for VMware admins and have lot of difficulties while applying the network policies.

Points to Cover: –

  1. Understand Network Policies
  2. Security Polices
  3. Traffic Shaping
  4. Teaming & Failover
  5. Understand Load Balancing Policies
  6. What is MTU (Maximum Transmission Unit)

In last section, we learnt the concepts of vSphere Standard Switch and How to Create a vSwitch in a vSphere Environment. In this section, we are going to explore Configuring virtual switch security , traffic -shaping and load -balancing policies.

  • Standard Switch policies are configured for enhancing the security of complex virtual environment in a better way.
  • You can create multiple port groups in a standard switch, and then you can apply different policies at each port groups.
  • You can also apply same network policies for all port groups or standard switch.

Network Policies Applies at: –

1

How to Apply these Policies?

  • Login to vCenter server using Web client.
  • Click on host and go to Networking under Configure Tab.
  • Select Virtual Switch and Click on Pencil icon to Edit.

2018-07-28-16_46_40-vSphere-cp-esxi-02.pathshala.com-Virtual-switches.jpg

vSphere Standard Switch has following Network Policies:

  • Security

  • Traffic Shaping

  • Teaming & Failover

  • MTU

Security: –

2018-07-28 16_46_48-vSphere - cp-esxi-02.pathshala.com - Virtual switches

  • Promiscuous Mode (Accept or Reject)

    • It can be defined at Virtual Switch or Port Group level.
    • If you change to accept then the guest OS can recieve all traffic which passes through the vSwitch or portgroup.
    • When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the vSwitch.
    • When promiscuous mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing promiscuous mode. However, promiscuous mode can be explicitly disabled at one or more portgroups within the vSwitch.
    • By default, this policy is set to Reject on virtual switches (standard or distributed)
Explanation:-
    • Let’s take an example that we have two port groups PG-A and PG-B. In PG-A, we have two Virtual Machines as VM-1 and VM-2. In PG-B, we have another two Virtual machines as VM-3 and VM-4.
    • If Promiscuous mode is set to Reject, PG-A and PG-B will not send traffic across and will only deliver packet as point to point delivery.
    • But if you set it to accept mode, than it will transfer the traffic to both PG-A and PG-B and it’s VM-1, VM-2, VM-3, VM-4.

promiscuous mode reject

  • MAC Address Changes (Accept or Reject)

    • This security policy is enabled by default in standard switch and disabled in Distributed Switch.
    • If it is in accepted mode, then host accepts requests to change the effective MAC address to different one than the original.
    • MAC Address Changes is concerned with incoming traffic.
Explanation:
    • All virtual machines have two MAC addresses:
      1. Initial MAC – It is generated automatically and that resides in the configuration file(VMX file). Guest OS has no control over the initial MAC Address.
      2. Effective MAC – It is configured by the guest operating system that is used during communication with other virtual machines. The effective MAC address is included in network communication as the source MAC of the virtual machine. Sometimes you put a manual MAC address in a VM, that is a effective MAC.
    • Let’s take an example, you have a Virtual machine with Initial MAC address 00:50:56:AF:3C:FG. Now, due to any reason you changed the MAC address of Virtual machine and Effective MAC address get change to 00:50:56:AF:3C:EH.
    • Virtual Machine’s Initial Address and Effective Address must agree with each other. If the guest OS changes the Effective Address, the port will compare the Effective Address to the Initial Address.
    • If security policy MAC Address Changes is set to Reject, then Initial Address and Effective Address will not agree with each other and it will result that Port will be administratively down.
    • If security policy MAC Address Changes is set to Accept, then new Effective MAC address will be agree to Initial MAC and it will be automatically updated in ARP table and Virtual Machine will work as usual.
  • Forged Transmits (Accept or Reject)

    • In this case, a host do not compare source and effective MAC which are transmitted from a VM.
    • Forged transmits is concerned with outgoing traffic.
    • If Forged Transmits is set to Reject, then traffic will not be passed from the virtual machine to the vSwitch (outgoing) if the initial and the effective MAC addresses do not match.
    • MAC Address Changes and Forged transmits are also used by Windows as a mechanism to protect against duplicate IP addresses on the network. If a Windows system detects an IP address conflict it will send out a forged transmit to reset the IP to the original MAC of the machine it think originally owned it and then take itself off the network. This protection mechanism for duplicate IP addresses won’t work without these security settings allowed.
    • It is set to Accept on Standard Switch and Reject on Distributed Switch.

Traffic Shaping: –

Traffic Shaping is the feature to control the quantity of traffic that is allowed to flow across a link. That is, rather than letting the traffic go as fast as it possibly can, you can set limits to how much traffic can be sent.

2018-07-28 16_46_51-vSphere - cp-esxi-02.pathshala.com - Virtual switches

You can configure a traffic shaping policy for each port group in Standard or Distributed Switch.

Traffic shaping is applied for outbound network traffic on standard switches and inbound and outbound traffic(Ingress or Egress traffic shaping) on distributed switches.

Traffic Shaping is defined by:

traffic shapping

  • Average bandwidth (100000 Kbits/Sec)

    • Establishes the number of bits per second to allow across a port, averaged over time.
    • This number is the allowed average load.
    • By default, traffic will get bandwidth what is defined in Average bandwidth.
  • Peak bandwidth (100000 Kbits/Sec)

    • Maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic.
    • This number limits the bandwidth that a port uses when it is using its burst bonus.
    • Average bandwidth can be exceed when needed by specifying a higher “Peak Bandwidth” value.
  • Burst size(102400 Kbytes)

    • Maximum number of bytes to allow in a burst that is allowed to be transmitted at the peak bandwidth rate in kilobytes.
    • When the port needs more bandwidth than specified by the average bandwidth, it might be allowed to temporarily transmit data at a higher speed if a burst bonus is available. So, when you need to send more traffic than the average bandwidth value allows, you transmit a burst of traffic, which is more than the allowed average bandwidth.
    • Traffic will be allowed to burst until the value of “Burst Size” has been exceeded.

Teaming & Failover: –

2018-07-28 16_46_56-vSphere - cp-esxi-02.pathshala.com - Virtual switches

  • Load Balancing Policy:

    • Route based on the originating virtual port ID

      • Each virtual machine has a virtual port ID on vSwitch. Port ID of a virtual machine is fixed while the virtual machine runs on the same host. If you migrate, power off, or delete the VM, its port ID on the virtual switch becomes free and port ID get change in next power on.
      • The vSwitch selects uplinks based on the virtual machine port IDs.
      • This load balancing method is used by default on Standard and Distributed Switches.
    • Route based on IP hash

      • Load balancing is based on the source/destination IP addresses.
      • vSwitch selects uplinks for virtual machines based on the source and destination IP address of each packet.
      • In IP Hash load balancing policy all physical switch ports connected to the active uplinks must be in EtherChannel mod.
      • This load balancing should be set for all port groups using the same set of uplinks.
      • Physical adapters attached on vSwitch must be in Active/Active.
      • Beacon probing is not supported with IP Hash.
    • Route based on source MAC hash

      •  Load balancing is based on Virtual machine’s MAC Address.
      • To calculate an uplink for a virtual machine, the virtual switch uses the virtual machine MAC address and the number of uplinks in the NIC team.
    • Use explicit failover order

      • It is based on Route Based on Originating Virtual Port. Virtual switch checks the load of the uplinks and takes steps to reduce it on overloaded uplinks.
  • Network Failure Detection Policy:

    • Link Status only

      • It is basically use to check the link if physical NIC is Up or down.
      • This option detects failures, such as cable pulls and physical switch power failures, but not configuration errors, such as a physical switch port being blocked by spanning tree or mis-configured to the wrong VLAN or cable pulls on the other side of a physical switch.
    • Beacon Probing

      • Beacon Probing is about checking of the health and connectivity between each vmnic (physical NIC) in the same vSwitch.
      • This option detects many of the failures in depth that are not detected by link status alone.
      • ESXi will send a small packet out of it’s physical network card, and see if this packet is received by the other physical network card within the same vSwitch.  If the vmnic receive the packet, it means that the connectivity between these two physical network is healthy.
      • You must have 3 Physical Network Port in the same vSwitch before you turn on Beacon Probing.  The reason is because if you have 2 Physical Network Port in the same vSwitch, and Beacon packet cannot reach each other, switch cannot determine which NIC needs to be taken out of service.
      • Do not use IP hash for load balancing.
  • Notify Switches Policy: (Yes/No)

    • By setting up Notify switches policy to “Yes”, you can determine how the ESXi host communicates failover events.
    • It is also used for updating MAC address information on physical switches.
  • Failback Policy: (Yes/No)

    • It uses when a failed physical NIC returns online, the vSwitch sets the NIC back to active by replacing the standby NIC.
    • By Default it is set to Yes.
  • Failover Order Policy:

It specifies how to distribute the work load for adapters.

    • Active Adapters

      • vSwitchContinue to use the adapter when the network adapter connectivity is available and active.
    • Standby Adapters

      • vSwitch uses this adapter if one of the active adapter’s connectivity is unavailable.
    • Unused Adapters

      • When a physical adapter is added to this section, vSwitch do not use this adapter.

What is MTU (Maximum Transmission Unit)?

  • A MTU (maximum transmission unit) is the largest size packet or frame, specified in octets (eight-bit bytes), that can be sent in a packet- or frame-based network such as the Internet.
  • Default size of MTU is 1500 Bytes which can be increased up to 9000 Bytes.
  • Jumbo Frames can be enabled on a vSwitch, vDS, and VMkernel Adapter.

2018-07-28 16_46_45-vSphere - cp-esxi-02.pathshala.com - Virtual switches

That’s all from this topic. As vSphere Networking is a complex and interesting topic, so I am planning to write a separate blog with detailed information on each points mentioned above. Stay tuned for coming blogs.

Thanks for visiting here. Share this article if you found it useful. Be sociable.