Mar 28

Remember Remember, Edit your Host Profile before applying.

Well today I remembered something, well to be truthful, I remembered it five minutes after moving my new hosts into maintenance mode, applying my newly created host profile from my reference host, filling in the network details for all the port groups and VMkernel groups and clicking finish.

So what exactly did I remember? Well I remembered that before you apply a reference host profile to a host that is over 6000 miles away (well to be fair, even if it is under your desk or hosted on your desktop), always remember to remove the policy that relates to your primary management console. Why? I hear you ask.

rug Read the rest of this entry »

Mar 26

VMware Security Advisory – VMSA-2015-0001.2

I have not done any of these for a while, so here we go, this is a catch all advisory to close down an number of vulnerabilities,  the original advisory was released in january and this one adds a couple of new products that have been patched.  if your product is down as having an available patch, then update to close down the risk

Read the rest of this entry »

Mar 15

NSX Packet Walks

I was once asked an interview question that was a very simple question with an interesting answer: How does a switch pass packets.

I’m going to start in this blog post, with that question, but in a virtual environment. Then I’m going to extrapolate to a couple of NSX situations that I find quite interesting.

Basic Network

The above diagram shows two VMs on the same VLAN. The vSwitches can be standard or distributed, and the physical switches could be anything from a desktop unmanaged switch through to a Nexus. For our purposes, that doesn’t matter.

The two VMs boot. The have a mac address (Layer 2), and an IP address (Layer 3) preconfigured. Just for fun we’ll assume they each have the IP address of the other in their hosts file, so we don’t have to involve DNS. VM1 wants to send a packet to VM2.

  1. VM1 knows the IP address of VM2, and knows that it is on the same subnet (so will not send the packet to the default gateway). It does not know the MAC address of VM2 though. So VM1 sends an ARP packet to FF:FF:FF:FF:FF:FF, the Layer 2 broadcast address. This is passed via the portgroup into the vSwitch. The vSwitch at this point stores VM1’s MAC in it’s CAM table and IP addresses in it’s fib table.
  2. the vSwitch passes the packet to the physical switch. The physical switch stores the IP and MAC of VM1 along with the port the packet entered on.
  3. the first physical switch passes the broadcast traffic out of all ports, but stores where the request came from in their tables.
  4. the second physical switch passes the broadcast traffic out of all ports, but stores where the request came from in their tables.
  5. the second vSwitch switch passes the broadcast traffic out of all ports, but stores where the request came from in their tables.
  6. VM2 sees the request and replies. In this case the destination MAC is known, so the packet is passed back through the steps in reverse order. At each step the physical and virtual switches store the MAC address of VM2 to the CAM table, and pass the packet out of a single port, back toward VM1.

This is about the simplest conversation that can happen over a switched Ethernet network.

Now let’s step it up a gear.
Basic NSX Network

Here we have a very simple, NSX based network. I am assuming one transport zone, set to “unicast mode”, with one logical network (say VXLAN 5001) which both VMs are attached to. In this case, each host on boot, is notified of other hosts int eh transport zone, and a tunnel is negotiated between the hosts. This tunnel is terminated at a VTEP or Virtual Tunnel End Point, within the ESX kernel.

One of the key differences between Unicast Mode and the other modes is that, in unicast mode, the host relays the IP information for the VM to the controllers which then relay that information to the Distributed Virtual Switches that make up the Logical Switch. This means that when the ARP is generated at 1. The host already knows the IP/MAC combination of VM2. The full flow goes like:

  1. VM1 sends an ARP packet to FF:FF:FF:FF:FF:FF. This is passed to the local dvSwitch and into the VTEP.
  2. The VTEP encapsulates the ARP into a VXLAN packet with the destination mac address being the VTEP mac address of the host VM2 is running on, and the source address being it’s own VTEP MAC address. This packet is pushed out to the physical switch.
  3. In normal circumstances the physical switches will have the VTEP MAC addresses through communication with the controller, and tunnel initiation, but if not, this is identical to the first scenario, except the VTEP MAC addresses are used, not the VM addresses.
  4. The second physical switch acts again just like it did last time.
  5. The VTEP de-encapsulates the packet, and passes the original ARP into the dvSwitch.
  6. Packet is delivered to the VMs on that VLAN on that host, and VM2 responds.

In both scenarios our VMs have both sent and received the same information. Notice how the MAC address of the VMs is never seen by the switches though in our second case. This means we’ve just reduced the CAN and fib tables on the switches by a couple of orders of magnitude. By not having to have the hundreds of MAC addresses and IP addresses for the hosts the switches can have much smaller, and much more efficient CAM and FIB tables. This is not likely to be an issue for the average enterprise network, but it can help service providers with thousands of VMs in their farms.

In the next post I will continue with situations that involve routing.

Mar 05

News: $2,000 Network Penetration Test Changes the Cyber Security Industry

If you’ve ever engaged the services of a penetration testing company, you know they’re not cheap. In fact, it’s not unusual to feel you’ve been slapped, thrown in a bag, and hung up to dry. These types of costs can be absorbed by larger companies and enterprises, but not smaller ones, which lack the budgets to take that kind of hit.

Most small and medium businesses (SMBs) lack the funding for a five-figure report. Yet, it can be argued that these companies are more in need of this sort of professional aid. If they lack the budget for penetration testing, they also lack the budget for a large team of security experts to continually monitor and protect their assets.

Read More

Feb 27

News: Barriers to Community Broadband Struck Down

On February 26 in a groundbreaking announcement, the Federal Communications Commission (FCC) agreed in a 3 – 2 vote to recognize the rights of two southern US cities (Chattanooga, Tennessee, and Wilson, North Carolina) to build their own publicly owned high-speed Internet networks in areas where incumbents had refused to invest in modern infrastructure to support high-speed broadband connectivity.  This is a common issue across the United States of America. Speaking as a Brit looking in, we on the other side of the pond think that the US must have gigabit speeds to every house. However, the truth is that more than 75% of US citizens have little or no access even to speeds that we in the UK consider slow.

read more

Feb 27

Xtravirt Releases SONAR — Reporting as a Service

Xtravirt has earned a reputation as a leader in virtualization and cloud technologies, and its consultants regularly work on some of the most complicated environments in Europe.

Xtravirt has also been active in the community, releasing tools and Visio stencils to help clients plan their virtualization processes. Tools like vPi and the Document Downloader are staples in many a virtualization consultant’s armoury.

On February 17, Xtravirt released its first true software product, SONAR™.

Read More

Jan 23

IBM Releases a New Mainframe

In this day and age of cloud computing, this article’s headline may come as a bit of a shock to many of you. Yes, the mainframe is still a thing. And IBM’s newest is a beast of a machine, capable of over 2.5 billion transactions a day, with real-time encryption built in.

Also likely to surprise to a lot of cloudy people are the number of common, day-to-day activities that depend on the elderly gentleman of the computing world. Operating in the background, mainframes are critical to activities including banking, online and in-store shopping, purchasing car insurance, booking travel, registering for university classes, registering a motor vehicle, obtaining a driving license, filing taxes (whether with the IRS in the US,  HMRC in the UK, or Bundeszentralamt für Steuern in Germany), and yes, even talking on the phone, whether mobile or fixed.

Read More

Jan 03

What Is SDN? The History of All Things SDN

Software-defined networking (SDN) is clearly one of the hot items of the tech field at the moment.  VMware’s purchase of Nicira precipitated a sea change, leading to today’s plethora of SDN vendors and array of competing technologies. It reminds me the early noughties—the introduction of virtualization, competing hypervisor technology stacks and Unix/Linux Zones*—followed by the scramble of the incumbents as they claimed performance penalties for virtualized operating systems and platforms, followed by spreading FUD about support status and onerous licensing models.

To read more < click here >

Jan 02

When Is a Startup No Longer a Startup?

When is a startup company no longer a startup? Is it post-IPO (initial public offering)? Is it when the founders exit? After seed funding? After Round A? Round B? Round Z? It seems to me that companies have started clinging to the title “startup” for quite a bit longer than they used to.

What prompted this question? Recently, I saw a Tweet from Nexenta’s Mike Letschin. What caught my eye is that it referred to “life as a startup.” Now, I am pretty sure that Nexenta has been around for almost ten years now. In fact, it even states so on its website. I don’t know about you, but ten years seems to me a long time to be a startup. If you were a child in the UK, you would have finished Nursery, Reception, and Infants and would now be in about your last year of Junior Education before moving up to High School. Mind you, this is not a vendor-bashing post; far from it—the two vendors I have chosen to discuss are both “big kids.”

To read more < click here >

Dec 23

Containers: The Emperor’s New Clothes

We in IT love our buzzwords and the next best new thing. But am I really the only person who cannot see the point of containers? I mean, those of us who were working in IT during the early noughties at the birth of virtualization in the enterprise will well remember containers—sorry, Solaris Zones—from Sun Microsystems. We should also remember that the questions they were supposed to answer were better answered by the then-newfangled technology called “virtualization” from a little-known upstart company called “VMware.”

To read more < click here >

Older posts «