requirements (business, functional, technical) goal...
TRANSCRIPT
Customer
End User
Subject Matter Experts
Stakeholders
Current Environment
Knowledge and experience
Virtualization environment
Physical environment
Training needed
Reusable?
Goal Business Case Requirements
Project
Budget
Schedule
Requirements (business, functional, technical)
Compliance rules
Networking
Applications
Scope
Manage Expectations
Klant
Eindgebruiker
Subject Matter Experts
Stakeholders
Huidige omgeving
Kennis en ervaring
Virtuele omgeving
Fysieke omgeving
Training nodig
Herbruikbaar?
Doel (wat) Business Case
(waarom) Vereisten
Project
Budget
Planning (wanneer)
Vereisten (business, functional, technical)
Compliance rules
Netwerken
Applicaties
Bereik
Verwachtingsmanagement
5-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Load-Balancing Method: Originating Virtual Port ID
virtual NICs
physicalNICs
virtual switch
physicalswitch
5-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Load-Balancing Method: Source MAC Hash
virtual NICs
physicalNICs
virtual switch
Internet
physicalswitch
5-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Load-Balancing Method: IP-Hash
virtual NICs
physicalNICs
virtual switch
Internet
physicalswitch
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
Feature Standard switch Distributed switch
Layer 2 switch
VLAN segmentation
IPv6 support
802.1Q tagging
NIC teaming
Outbound traffic shaping
Inbound traffic shaping
Configuration backup and restore
Private VLANs
Link aggregation control protocol
Data center-level management
Network vSphere vMotion
VMware vSphere® Network I/O Control
Per-port policy settings
Port state monitoring
NetFlow
Port mirroring
Standard Switch and Distributed Switch Feature Comparison
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
A private VLAN is: ▪ An extension to the VLAN standard
▪ Further segmentation of a single VLAN into secondary private VLANs
A secondary private VLAN: ▪ Exists only in the primary VLAN
▪ Shares the same IP network address
▪ Is identified on the physical and distributed switches by a unique VLAN ID
Private VLANs
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
Three types of secondary private VLANs: ▪ Promiscuous
▪ Isolated
▪ Community
The type of secondary private VLAN determines packet forwarding rules.
Types of Secondary Private VLANs
Primary Secondary Type
5 5 promiscuous
5 155 isolated
5 17 community
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
A node attached to a port in a promiscuous secondary private VLAN can send and receive packets to any node in any other secondary private VLAN associated with the same primary. Routers are typically attached to promiscuous ports.
Promiscuous Private VLANs
VM 1
VM 2
VM 3
VM 4
VM 5
VM 6
175
155
Primary Secondary Type
5 5 promiscuous
5 155 isolated
5 17 community
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
A node attached to a port in an isolated secondary private VLAN can send to and receive packets only from the promiscuous private VLAN. Only one isolated secondary private VLAN is permitted per primary.
Isolated Private VLANs
VM 1
VM 2
VM 3
VM 4
VM 5
VM 6
5
Primary Secondary Type
5 5 promiscuous
5 155 isolated
5 17 community
17
155
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
A node attached to a port in a community secondary private VLAN can send to and receive packets from other ports in the same secondary private VLAN as well as ports in the promiscuous private VLAN.
Community Private VLANs
VM 1
VM 2
VM 3
VM 4
VM 5
VM 6
155
5
17
Primary Secondary Type
5 5 promiscuous
5 155 isolated
5 17 community
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
▪ Standard 802.1Q tagging ▪ No double encapsulation ▪ Physical switch software decides which
ports to forward the frame to, based on the tag and the private VLAN tables.
Physical Switch Implementation of Private VLANs
Private VLAN 155
(isolated)
Private VLAN 17
(community)
155 17
VLAN 5 Private VLAN 5 (promiscuous)
5 5
distributed switch
For private VLANs, the VLAN ID is the secondary ID.
Primary Secondary Type5 5 promiscuous
5 155 isolated
5 17 community
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
Frames that travel are tagged with the secondary ID. Each virtual machine can send to and receive from different secondary private VLANs. ▪ Examples: community and promiscuous
A physical switch can be confused by the fact that each MAC address is visible in more than one VLAN tag A physical switch must have a trunk port to the VMware® ESXi™ host and not be in a secondary private VLAN. Most private VLAN problems are caused by physical switches that are configured incorrectly. ▪ Compare the private VLAN map in the physical switch to the private
VLAN configuration in the distributed switch.
Private VLANs and Physical Switches
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
▪ A virtual machine in a promiscuous private VLAN sends an ARP request for a virtual machine in an isolated private VLAN.
▪ The target virtual machine is on a different ESXi host.
▪ The physical switch is private VLAN-aware.
Private VLAN-Aware Physical Switch
DistributedSwitch
IsolatedPromiscuous
ARP requesttag: none
ARP requesttag: 5
Private VLAN logic detects that the destination is isolated, so it
acts as if the tag were 155.
ARP requesttag: none
ARP replytag: none
ARP replytag: 155
ARP replytag: 155
Switch ports that see the same MAC address
through different VLAN tags
ARP replytag: none
ARP requesttag: 5
Primary Secondary Type
5 5 promisc
5 155 isolated
5 17 comm5 155
4-‹#›
© 2014 VMware Inc. All rights reserved
VMware vSphere: Optimize and Scale
Configuring and Assigning Private VLANs
Assign
Select the distributed switch and select Private VLN > Edit.
Right-click the distributed port group, select Edit Settings, and select VLAN.
Configure
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Lesson 4: vCenter Single Sign-On
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
By the end of this lesson, you should be able to meet the following objectives: ▪ Describe the features and benefits of VMware® vCenter™ Single
Sign-On™
▪ Describe the vCenter Single Sign-On architecture
▪ Define the vCenter Single Sign-On deployment modes
▪ List the options for protecting vCenter Single Sign-On
▪ Describe how to install vCenter Single Sign-On
▪ Describe how to configure vCenter Single Sign-On
▪ Use vCenter Single Sign-On to create users and assign roles
Learner Objectives
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
vCenter Single Sign-On is an authentication service that secures the VMware cloud infrastructure platform. vCenter Single Sign-On allows vSphere software components to communicate with each other through a secure token mechanism.
About vCenter Single Sign-On
vCenter Server
AD Open LDAP
vSphere Web Client vCenter Single
Sign-On
VMware® vCenter™
Orchestrator™VMware ®
vCloud Director®
Identity sources
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
vCenter Single Sign-On has the following benefits: ▪ Faster operations and a less complex authentication process
▪ Ability of vSphere solutions to trust each other without requiring authentication every time a solution is accessed
▪ An architecture that supports multi-instance and multisite configurations that provide for single-solution authentication across the entire environment
Benefits of vCenter Single Sign-On
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
vCenter Single Sign-On has the following features: ▪ Support for open standards
▪ Support for multiple user repositories, including Active Directory and OpenLDAP
▪ Ability for users to see all vCenter Server instances for which they have permission
▪ No need to use vCenter Linked Mode for unified views of vCenter Server instances
Features of vCenter Single Sign-On
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
When logging in to vSphere, authentication is passed to vCenter Single Sign-On. On successful authentication, a security token is used to access vSphere components.
How vCenter Single Sign-On Works
1
6vCenter Lookup Service
vCenter Server
vCenter Single Sign-On Server
Identity Manager
Service (IDM)
VMware Directory Service(vmdir)
2
4
5Security Token Service
AdminService
IDM Client
Open LDAP
AD
3
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Identity source: ▪ A repository for users and groups that vCenter Single Sign-On can use
for user authentication
▪ Usually a directory service like Active Directory or Open LDAP
▪ Provides a means to attach one or more domains to vCenter Single Sign-On
Default domain: ▪ Used by vCenter Single Sign-On to authenticate users when the user
logs in without a domain name.
▪ One system identity source named vsphere.local is created when you install vCenter Single Sign-On.
▪ vsphere.local is the default domain.
About Identity Sources and the Default Domain
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Supported Identity Sources
Identity Source Description Name in vSphere Web Client
Active Directory versions 2003 and
laterOnly one Active Directory domain as an
identity source is allowed.
Active Directory (Integrated Windows
Authentication)
Active Directory over LDAP
This identity source is included mainly for compatibility with version 5.1 of vCenter
Single Sign-On.
Active Directory as an LDAP Server
OpenLDAP versions 2.4 and later
Multiple OpenLDAP identity sources are allowed. OpenLDAP
Local operating system users
This identity source exists only in basic mode deployments, not in multisite mode or high availability–mode deployments.
localos
vCenter Single Sign-On users
This identity source is created during the install. vsphere.local
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
vCenter Single Sign-On components are deployed as part of the installation.
vCenter Single Sign-On Architecture
vCenter Lookup Service
vCenter Server
vCenter Orchestrator
vCloudDirector
vCenter Server
Security Token ServiceIdentity
Manager Service
VMware Directory Service(vmdir)
AdminService
Identity Manager Client
Open LDAPAD
vCenter Single Sign-On Server
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
vCenter Server provides several ways to deploy vCenter Single Sign-On to best serve your vSphere environment. You can deploy vCenter Single Sign-On in one of the following modes: ▪ Basic
▪ Multiple vCenter Single Sign-On instances in the same location
▪ Multiple vCenter Single Sign-On instances in different locations
About vCenter Single Sign-On Deployment Modes
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Basic mode is the most common deployment option. You usually use the Simple Install option to deploy vCenter Server with vCenter Single Sign-On in basic mode. Basic mode is appropriate for the following scenarios: ▪ You have a single vCenter Server instance of
an inventory size of up to 1,000 hosts or 10,000 virtual machines.
▪ You have geographically dispersed vCenter Server instances that are administered independently of each other.
▪ You are using vCenter Server Appliance.
Basic Deployment Mode
vCenter Inventory Service
vCenter Single Sign-On
vSphere Web Client
vCenter Server
Windows vCenter Server system or vCenter Server
Appliance
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
This deployment mode provides high availability for your vCenter Single Sign-On environment. Use this mode if you do not plan to use VMware vSphere® High Availability or VMware® vCenter™ Server Heartbeat™, but high availability of the vCenter Single Sign-On server is required.
Multiple Single Sign-On Instances in the Same Location
Network Load Balancer
vCenter Inventory Service
vSphere Web Client
vCenter Server
vCenter Single Sign-On
vCenter Single Sign-On
Synchronizedvmdirvmdir
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
This mode is required when you have geographically dispersed vCenter Server systems and you must administer these instances in Linked Mode.
Multiple Single Sign-On Instances in Multiple Locations
Synchronized
Virginia
vCenter Inventory Service
vSphere Web Client
vCenter Server
vCenter Single Sign-On
vmdir
New York
vCenter Inventory Service
vSphere Web Client
vCenter Server
vCenter Single Sign-On vmdir
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
vSphere provides several ways to ensure the availability of your vSphere deployment with vCenter Single Sign-On.
Protecting vCenter Single Sign-On
Option Description Recovery Time Required
Backup and restore
Solution must be independent of vCenter Server. Recovery requires manual intervention. Hours or days
vSphere HA vSphere feature for maintaining uptime of virtual machines and detecting ESXi host failure Minutes
vCenter Server Heartbeat
Separately licensed vCenter Server plug-in provides vCenter Server protection (physical or
virtual) and can protect against host failure.Minutes
vCenter Server Single Sign-On high availability
mode
Primary vCenter Single Sign-On instance paired with a second vCenter Single Sign-On instance Seconds
4-‹#›
© 2013 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage
Using the VMware vCenter Installer: ▪ Use the Simple Install option
to deploy basic mode.
▪ Use the Custom Install option to install multisite or high availability mode.
Installing vCenter Single Sign-On
During the custom install, you are prompted to select a deployment mode: ▪ Primary Node
▪ High availability
▪ Multisite