Home > June 2009

June 2009

Top VMware Bloggers

Tuesday, June 30, 2009 Category : 1

A few weeks ago Eric Siebert decided it was time to update his list of top VMware blogs.

Eric has been running his top 20 list on vLaunchpad which he based on the following criteria.

  1. The first is posting frequency, if a blogger has not posted in many weeks or months I generally disqualify them. I’m looking for bloggers that post at least 2-3 times a month.
  2. Next is posting quality, if a blogger is generally just repeating news and things other people have written I also tend to disqualify them. I look for the bloggers that produce quality, informative posts and aren’t afraid to share their own opinions
  3. Next is post length, short posts are OK for some things but the really long posts that contain lots of information score more points with me.
  4. Finally the length of time that the blogger has been posting, I generally don’t include ones that have been around for less than 3 months until they’ve established themselves.
You would have to agree thats a solid criteria list.

Well for the update to the top 5 Eric decided a survey of the community was the way to go, after all its the community who reads them, why not have them choose. Of course this prompted a rash of "Vote for me" posts by people like Vaughn, Scott Lowe, Steve, Cody Bunch, Jon Owings, Rich Brambley and Erik Scholten. Even Chad (obviously in the top two) got in on the act soliciting votes on some Canadian national pride agenda. Duncan posted a pointer to the survey but did not actually call for votes, he probably figured he had no need! Me, well I was just stoked to be in the top 20 in the first place back when the original list was created. I wanted to wait until after voting was closed before posting anything.

So with the results coming out any day now I wondered what my top list would be (I voted off gut feeling).

I thought a great way to see who was worth reading, was to analyse the Top 5 Planet V12n blog posts put out by VMware each week. Duncan puts the list together by the looks of it.

I was able to find the last 11 weeks of data which gave 55 entries. Doing a frequency of who got a top post of the week the top 5 VMware bloggers are :
  • Duncan Epping (5)
  • Chad Sakac (3.5)
  • Scott Lowe (3)
  • Rodney Haywood (3)
  • Steve Chambers (3)
Chad got a half point because he had a joint post with Vaugn, that's fair. Scott is no surprise, the guy is a gun. Must admit, totally surprised to see myself and Steve there (no offence to Steve). Just goes to show, you can do anything with statistics. Congratulations to the other top 5.

Strangely there were five people who shared two each.
  • Rich Brambley (2)
  • Greg A. Lato (2)
  • Robert Patton (2)
  • Steve Kaplan (2)
  • Jason Boche (2)
So now all you need to do is wait for Eric to collate and post the results at http://vsphere-land.com/. Who is going to win the popularity contest!

Good luck everyone! However I think the bloggers will mozy on just as they always have posting their thoughts, tips and ideas.


Scaling Cisco Unified Computing System (UCS)

Saturday, June 27, 2009 Category : , 4

So Rodos, how much can I scale my Cisco Unified Computing System (UCS)? Great question. For those with a short attention span scroll to the table at the end, otherwise keep reading.

UCS is built for scale, when you look at the numbers its impressive. Yet the devil is in the detail when it comes to scaling it out.

On initial thought you can look at the datasheet for the Fabric Interconnects and come up with some figures. There is the 6120 and the 6140 with 20 and 40 ports so with two for redundancy you could run 20 chassis or 40 chassis, each of these can have 8 B200 blades. Thinking this way is theoretically right, but thats not going to be a real world case.

Lets dive into what you would really need to do to hook your UCS environment together, doing some real world calculations.

First, there are five different interfacing requirements that need to be provisioned for:
  • Some Ethernet uplinks into the rest of the datacenter
  • Some Ethernet downlinks to the chassis
  • Some Fibre Channel links toward your Storage Fabric
  • The Ethernet link for the management system
  • The Ethernet links for the high availability of the UCS managers
The following picture shows where we can take each of these from.

Lets look at each one in turn.

One. Cluster Ports
There are 4 ports here, two of these are the dual 10/100/1000 Ethernet clustering ports which are used for connected two 6120/40s together, they do sync and hearbeat. You direct connect these with a standard Ethernet cable. The other two ports are reserved for future use. All of these ports are dedicated and you can not use them for any other purpose.

Two. Management port.
This is a dedicated 10/100/1000-Mbps Ethernet management port for out-of-band management.

Three & Four. SFP+ ports
The SFP+ ports take a number of cable types (copper or fiber) of varying lengths. They may be used to connect to the 2100 Fabric Extenders (FeX) modules inside the 5100 Chassis (that contains the blades). They may also be used to connect up to your data center switching core or aggregation point. We are going to come back to these two in some more detail.

Five. Expansion modules.
The expansion modules are used to provide further external connectivity. There are three types available.
  • Ethernet module that provides 6 ports of 10 Gigabit Ethernet using the SFP+ interface
  • Fibre Channel plus Ethernet module that provides 4 ports of 10 Gigabit Ethernet using the SFP+ interface; and 4 ports of 1/2/4-Gbps native Fibre Channel connectivity using the SFP interface
  • Fibre Channel module that provides 8 ports of 1/2/4-Gbps native Fibre Channel using the SFP interface for transparent connectivity with existing Fibre Channel networks
Most people are probably going to go with the 8 port FC one.

Okay, now that we have gotten all of that background out of the way (this is turning into a Chad diatribe post!) we can get to the interesting bit.

To provide bandwidth and redundancy you are going to consume ports.

If we go back to those uplinks to your aggregation switches, say a pair of Nexus 7000 you are at least going to need some redundancy and bandwidth. As most of the switching will occur in the 6100's you probably don't need a massive amount of bandwidth out. I think a safe bet initially is two 10G links out of each 6100, at a pinch one out of each.

The real issue is around the links between the 2100 FeX units in the 5100 Chassis back up to the 6100s. Here is what they look like.

Here is where they sit in the back of the 5100 chassis.

Now you are going to have two FeX for redundancy. That means you are going to consume a minimum of one port of each 6100. But is that enough. If one was to fail, you now only have 10G of bandwidth and all of your storage and networking traffic for all eight blades are going to be going over this link. Also remember there is NO internal switching inside the chassis, all inter-blade traffic has to go up to the 6100 to be switched. Therefore I think the real world situation is to provision two ports from each FeX and this halves the amount of chassis you can connect into the 6100.

So here is a table that does some calculations based on how many uplink ports you want to your aggregation switches and how many ports you want to run from each chassis. It also shows how many blades this would give you and how many racks you would consume, given two chassis per rack (you are going to need a lot of power if you go more than two).

You can see that with 4 ports from each chassis and 4 links to the aggregation switches you are looking at either 9 or 19 chassis. Thats either 72 or 152 blades which is a LOT.

Out of interest I did some quick calculations on number of racks and possible VMs. If you put 48G of RAM per blade which is optimal price wise you could safely estimate 48 VMs for a low RAM environment (1G per VM and a core ration of 6:1) or a high RAM environment (2G per VM and a core ration of 3:1).

So for a 6120 a realistic figure is five racks housing 9 chassis, 72 blades and close to somewhere between 1700 and 3400 VMs. Thats not bad for a total of 40 cables!

Of course playing around with things there would be a few ways of tweaking at the edges of this, but I think you get the idea.


Panel - Toward Cloud Computing: Private Enterprise Clouds As A First Step

Friday, June 26, 2009 Category : , 0

Its great to see people discussing cloud in a really constructive way. At the Structure 09 event "Put Cloud Computing to Work" in San Francisco there has been lots of cloud discussion.

I recommend you watch this video of a panel discussion moderated by George Gilbert from TechAlpha.

Toward Cloud Computing: Private Enterprise Clouds As A First Step
Enterprises are cautious about migrating their most demanding applications to public clouds. Public cloud infrastructure can’t run all existing enterprise applications, particularly the most mission critical, without some modification and more advanced management software. IT also faces concerns about security and control. Yet the lure of self-service provisioning and usage-based pricing is still strong. The solution? Build your own cloud with your existing infrastructure investment as a first step. This panel will explore how enterprise clouds are likely to take shape, building on the evolution of virtualization infrastructure and systems management technology as a foundation.
The people were
  • James Urquhart from Cisco
  • Chuck Hollis from EMC
  • Stephen Herrod from VMware
  • Scott Morrison from Layer 7
  • Kia Behnia from BMC
  • Brandon Watson from Microsoft
Thats a great bunch of smart people. The only person that surprised me within the space was Scott from Layer 7, so I had to go and dig around to see what they are all about, interesting.

Some of the things discussed
  • Where Cisco Unified Compute System (UCS) fits in to the private cloud and virtualisation
  • VMware and providing isolation in the hardware layers
  • Virtualising storage and where/when is it appropriate to use it at the hypervisor, in the fabric or in the storage array.
  • Moving storage around with clouds. Its easy to move a virtual machine but try moving the TB of data behind it.
  • Management platforms, traditional versus the cloud with virtualisation.
  • Its all about the services.
  • The complexity of administraiton of all the different layers and having works who can understand them all.
  • The impediment of rewriting your applications and data compliance.
To be honest I did not think the moderator did a great job of driving the questions and/or understanding the panels answers. Some of the questions were just hard to understand (maybe its just me). But the comments from the panelists are great.

Be warned, watching this will make you think. You can find the video at LiveStream and it should also be embedded below.


Attend VMworld 2009

Thursday, June 18, 2009 Category : 3

Why come to VMworld 2009?

This morning on the VMTN podcast John Troyer stated it was time for some blogs post in the community on why go to VMworld. Hey, count me in.

I do feel that I am qualified to comment here. I am a VMworld Alumni, having attended the last 3 years. For two years it was funded by my employer (thanks guys). One year, because I was in the period of transition between two employers, my wife paid, serious. Don’t forget, I live in Australia so it’ not an inexpensive exercise. I have lived through and succeeded in the task of negotiating with my wife as to why I should invest in taking an overseas trip just to attend VMworld.

Here are some reasons why you should attend VMworld 2009.
  • With so many sessions and such a large section of vendors there WILL be relevant content to your needs and area of interest. You will come away with concrete things that will make a difference. Every year VMworld has set my agenda for the next 12 months, none more than last year!
  • In the current economic client we need to bring solutions to the business and not problems. Everyone knows virtualisation is one of the few areas that can bring returns to the business with short ROI. Yes you have already virtualised, but how much, 20%? How are you going to get to 90%? VMworld is a smart investment to achieve some business savings.
  • The exhibition hall has all the vendors you could ever want to talk to in regards to VMware. You can cover a lot of companies in a short period of time. At VMworld they have their best people on the stand who know their stuff. You can fast track your information gathering.
  • You are a geek, you love technology and you love VMware. Don’t kid yourself you are reading this blog post from some weird guy in Australia, you ARE a VMware geek. Being a VMware geek you just have to be part of the action. This is where it is at peoples, the announcements, the vendors, the personalities, the competitive shenanigans of Microsoft. If you want your bit of geek heaven, there is no better place to get it.
  • Tried and tested. VMworld has been at the Moscone center before. It had its challenges but that’s my point, its tested. VMware knows what works and what does not in the facility. It should be one smooth running conference. I also think that the San Fran had the best food out of the lot.
  • Thanks to the GFC, deals on flights and accommodation are never going to be better. This is the most least expensive time that there will be to get there!
  • You can bring your spouce. Now you wife (or husband) may not get the VMware thing but some time in San Francisco might be welcomed. Crystal Lowe (wife of Scott) is organising spouce events again this year.
Now that you have been convinced you need to attend, here are my tips for attending VMworld.
  • Book you sessions early. They fill up and you want to get in on the good ones.
  • Go for sessions that are technology preview, you will have to read between the lines on some of the descriptions. Think about is this one that it would be good to see in person versus watching the slide deck four weeks later.
  • Go to sessions where you can meet good people, like the people that write the code. They have insights and tips, that’s why you are there.
  • Go to sessions that are relevant to your work. It’s great to come back with something that you can action or share with your peers. In the session talk to the people around you or the speaker. They are there because they are interested in the topic too. You will get insights and contacts that will be helpful.
  • Ask a question in the sessions. Don’t ask stupid or obscure questions, ask ones that will suit the whole audience not just you, but ask one you care about. It helps the speaker and everyone else.
  • Arrive a day or two early and play tourist. This way you are fresh and can register before the crowds. VMworld is exhausting and most people get little sleep. If you plan on doing things afterwards you will probably just spend the time sleeping off the exhaustion.
  • Spend lots of time in the exhibit hall and talk to people on the stands. There are a lot of interesting people, tell them your issues and get their insights, ask how things may work in your environment. I find you need to do the whole thing a few times. Take a friend. I still remember walking up to the VMware booth and talking to a guy who was demoing Fusion and the mutli-head support. I like fusion and told him how sweet the new feature was. The guy just grinned, his eyes widened with pride and he said, “I wrote the code!”. The guy was so excited to share his contribution and tell me all about how awesome it was and you could see the boyish excitement on his face. Priceless.
  • Have spare space in your luggage for goodies, mainly books. If you are into such things you can grab a lot of free stuff. However I always collect up on a few books which are heavy and take up space. Then there is the VMware gear. My laptop bag, which is now getting a little tired, I picked up at VMworld and it has the VMware logo embroided on it.
  • Stay close by. It saves on travel costs and travel time. One of the hotels that has the busses is fine too. Its great to be able to whip back to drop some stuff off, like your laptop, because you don’t need it for the rest of the day.
  • Organise your parties and events. Hook up with the vendors and get into the right parties. This is more key if you are a Partner but there are a lot of great parties where you can have some fun but continue to network and talk shop a bit.
  • Find your peers. As a partner one thing I love about VMworld is getting to spend some time with my competitors who are very smart and nice people. During the day our companies fight it out but at VMworld we get to talk shop and technology with people who really understand our jobs, market and vendors as intimately as we do, which is very rare. You can leave your ego at the door, not be competitive and not discuss confidential matters of course. You will be amazed at just how helpful dialog like this is to your daily job. I imagine if you are a customer then find people in the same space (they will be in those sessions you are in or the birds of a feather sessions) and you will have the same results.
  • Sort out your IT and communications. This is mainly for international travelers. Power adapters, roaming on your mobile, internet access, you want all of your IT to work whilst you are there. Then you communications. Do you have the mobile numbers of all the people you may want to be in contact with whilst you are there.
If you can’t afford to go, do one of two things. You can purchase the virtual attendance so you get access to the session recordings. They may take a little while to be available but the content is great and you will use it all year.

What if you can’t do that. Do what I did, tell your boss straight, if you don’t go you will resign. That’s what I did and I mean it, and he knows it too! (Note to Andrew, my boss. Yes I know I have a lot of work to do but I am writing this on the bus on the way home. You know, I WILL resign!)

Just don’t use that tactic with your wife.

See you there.


UPDATE : To add in the spouce activities.


Category : 0

Is VMsafe the same as vShield?

I have been getting this question a bit since my last post on VMware vShield Zones . It is a question that people really should be asking because there is confusion between the two technologies that needs to be cleared up.

vShield Zones is a product that is released and uses the existing network switching techniques in vSwitches to intercept, monitor and control Layer 2/3 networking traffic. It only does networking. It happens to be part of vSphere licensing wise and it was released after vSphere was released.

VMsafe is a new technology or function inside vShere. It allows a 3rd part to build a solution, based on a virtual machine, which can inspect the memory, CPU, Networking, Storage and process execution of a virtual machine.

Here is how VMware explain the different elements.

  • Memory and CPU. VMsafe provides introspection of virtual machine memory pages and CPU states.
  • Networking. VMsafe enables filtering of network packets inside hypervisors,,as well as within the security virtual machine itself.
  • Process execution. VMsafe provided in-guest, in-process APIs that enable complete monitoring and control of process execution.
  • Storage. Guest virtual machine disk files can be mounted, manipulated and modified as they persist on storage devices.
Here is a picture that trys to represent what its doing.

I think Aaron Bawcom, VP of Engineering at Reflex Systems sums up VMsafe nicely when he writes
VMsafe is a low level enforcement API that allows developers to intercept and inspect memory, CPU, and network traffic for a virtual machine without requiring an agent to run inside the virtual machine itself. VMsafe allows a small kernel module to run inside the ESX hypervisor which intercepts traffic between the virtual
network interface of a VM and the virtual switch. This capability offers an entirely new dimension to enterprise security. VMsafe will enable a whole new type of enterprise security that has been impractical to achieve until now. VMsafe will also allow an entire class of new security applications for the virtual environment by allowing organizations to specify granular security policy down to the virtual network interface of a virtual machine.
Whitepaper : New Directions in Virtualization Security: How Segmentation Can Strengthen Your Security Posture

VMsafe enables a lot and I don't think we will see one vendor do the whole stack, although some may try. A network security vendor may just use VMsafe as a better way to get at the networking flow of a VM (compared to the hoopes that vShield has to go through). Another vendor may simply use it to scan the disks of VMs regardless of their power state to search for viruses or do data mining. An anti-virus vendor may use VMsafe to watch the CPU execution, outside of the VM.

So things to remember.
  • VMshield does not equal VMsafe
  • VMshield could one day use VMsafe to do its functions a different way
  • VMsafe as a technology is not released yet
  • A 3rd party product will be required that uses the VMsafe technology to actually do something
Hope that helps.


DaaS - More Incomplete Thought

Tuesday, June 16, 2009 Category : , 0

The Hoff or @Beaker or whatever you like to call him (his mother still likes to call him Christofer I suspect) started working at Cisco this week as "Director, Cloud & Virtualization Solutions". Sounds like something you could sink your teeth into easily.

Hoff has been blogging on Cloud for a while and with his new role I think its going to increase. On his personal blog he posted an "Incomplete Thought: The Opportunity For Desktop As a Service – The Client Cloud?".

The summary (although its only short, go read it) is that Desktop as a Service (DaaS) has been thought of as relevant for the Internal Cloud but not really the Public Cloud.

Will DaaS be the next frontier of consolidation in the enterprise?

If you’re considering hosting your service instances elsewhere, why not your desktops? Citrix and VMware (as examples) seem to think you might…
I have done some thinking on DaaS a service. So here are some of my Incomplete Thoughts to "join the conversation" as to why.

If cloud is "Elastic Network Services" then one of those services is ultimately going to be DaaS. I often explain cloud to people as being like the cable that comes into their house. Today the services you probably get over the cable are Telephony, Television and Internet. They are each a different service and use a different interface/protocol. In the future another service will appear on that cable via another interface/protocol, a desktop. I have plenty of access devices in my house, laptops, televisions, game consoles, desktops. But if I need another computer for my children, why can't I just consume one for a while over the cable, paying as I go, using an existing access device. Thats the future. Of course we will continue to consume more and more access devices, it is not simply a story about replacement.

But what about DaaS from the public cloud for the enterprise, what are the barriers to be able to move to adoption. Here are the two big ones.

Licensing - Some big changes need to occur in licensing. Microsoft need to allow providers to run their Desktop OSs in virtualised cloud environments at a reasonable rate. Certainly the issue does not completely go away in the Internal Cloud but its a lot better. We also need more choice. Imagine if Apple came out and said here is a program for providers to be able to run Mac OS X from within the cloud! Did I hear Apple just signed up to build a big data center?

Protocol - Infrastructure as a Service (IaaS) works well for cloud because most of the systems interact amongst themselves inside the cloud where high bandwidth is available. These IaaS workloads then usually interface back out of the cloud via different, standards based, protocols. The outward facing protocols are typically much more suited to remote delivery. For other cloud services such as Software as a Service (SaaS), they too, are working via protocols which are typically more standardized and suited to remote delivery. HTTP being the main one of course. However remote desktop delivery is a very different beast, there is no simple and efficient standard and they just don't have the true "full desktop experience" that wide adoption will expect. Yes we have ICA/RDP/RGS etc. Of course there is a lot of investment in this protocol space at the moment, such as PCoIP which is looking promising.

So a big yes to DaaS ultimately, but in the shorter term there is much better low hanging fruit in the IaaS and SaaS space. We will see DaaS come out of the private cloud rather than public first.

The best play I see today is where DaaS is hosted internally on the Internal Cloud where it communicates closer to the users latency wise using todays protocols. The protocols between the servers and the desktops are less coupled, compared to those between desktop and user, so we will see separation as the servers move off into private and public cloud. The separation of the servers has the advantage that the protocols between desktop and server are better able to cope with latency and their acceleration technologies are more mature. Then once the licensing and protocol issues of DaaS for the private/public cloud are resolved, we will see them migrate too.

With Hoff at Cisco, he can probably do something about the protocol, licensing may be more of a challenge.

Interesting times and great conversation. Why don't you join in and post in the comments on the Hoffs post or this one.


VMworld 2009 Cloud Session

Category : , 0

The catalog for VMworld 2009 sessions is starting to appear.

If you are into Cloud here are the ones that are relevant. Don't be fooled, there are quite a few that mention cloud but they are more about the internal cloud and are stretching the wording.

Securing vCloud - TA3901

Enterprises are looking for ways to expand their on-premise infrastructure to add capacities on demand, as well as SMBs or workgroups wanting a fully outsourced infrastructure, are investigating cloud computing. Many of today’s solutions have issues like proprietary application platforms that require redevelopment time to function off-premise, inability to move to another provider if SLAs aren’t met, and long lead times to move or set up new environments. This presentation is based on an actual customer experience utilizing VMware’s vCloud.

For customers, vCloud delivers peace of mind in knowing the services they get from hosting/service providers for disaster recovery, test and dev or just simple infrastructure on demand will be reliable, flexible, and secure. This presentation will analyze the core security and reliability components and demonstrate the security of the vCloud with an actual customer application failing the business defined Service Level Agreement (SLA) for the application due to security vulnerability, and the application migrating to the service provider environment to meet the SLA by mitigating the vulnerability.

Proposed agenda:
• security consideration for cloud environment
• how to preserve a consistent security policy regardless of hosting it on premise, or hosted by a cloud partner?
• how do define SLA for security?
• how to evaluate the security offering by a cloud partner?

Improved cloud interoperability using virtualization management standards - VM2706
This session will discuss the latest developments in virtualization management standards and how they can be used to provide improved cloud computing interoperability. It will cover the latest virtualization management standards activities within the Distributed Management Task Force (DMTF) that are being developed within its VMAN initiative. This includes updates and demonstrations of usage of Open Virtualization Format (OVF) for cloud portability. This session will also give a review of current implementations of these standards in various vendor offerings.

Introducing the VMware vCenter Suite: Managing Service Levels Across Dynamic IT Infrastructure - VM3235
VMware’s goal is to bring a new level of simplicity to managing IT, bringing greater efficiency, control and flexibility to IT operations than ever before. This session will highlight VMware’s vision for managing applications and IT services across dynamic infrastructure in the datacenter, including creation of the private cloud. It will highlight key enabling technologies for managing IT as a service, and will also provide an overview of the vCenter Suite of solutions that can help IT evolve toward a service-centric management model and reduce the cost and complexity of managing IT infrastructure.

Introduction to Redwood - Unknown
Sven Huisman posted that he notice this session but I can't find it in the catalog. However I can't see any Technology Preview sessions so maybe that's why. Sven quoted the session as ... "VMware will be releasing and end-to-end solution for setting up internal and external clouds. In this session, product management will drill into the specifics of that offering. The first half of this presentation will introduce the scope and composition of the release; the second half will dive into specific technologies behind the cloud."

As more session details become available I will update cloud related ones back into this post.

See you at the sessions!


New face at VMware on Cloud - Jian Zhen

Category : , 1

Having been writing on cloud for nearly a year now I just stumbled across a new VMware cloud thinker on twitter of all places.

Jian Zhen is the Director of Cloud Solutions at VMware and has been in the role for 4 months, starting in March.

Jian has a personal blog http://www.zhen.org/ (a bit like all of us) where he has been posting some great thoughts on Cloud.

The recent entries have been a four part series on "The Thousand Faces of Cloud Computing" which have been broken down into

  • Differing Definitions
  • Users
  • Business Benefits
  • Architecture Characteristics
I like the fact that he is using the same terms that I am using like "Elastic".

If you are into Cloud I suggest your add his RSS feed into your reader!

Jian, welcome to the conversation!


VMware vShield Zones

Monday, June 15, 2009 Category : 4

Rodos, tell me something about vShield Zones! Well read on if you want a quick low down.

The reason for this post is that I knew vShield Zones was released on June 10. As I am doing the planning on a huge deployment I wondered if vShield Zones could be used to provide some extra security layers, but I really have little idea of what it actually is, its benefits and limitations. A quick search of the Internet did not bring up any real details apart from marketing materials, not even Yellow-Bricks. If Duncan has not written anything on this then I am afraid I was on my own, so I hit the documentation.

So here you have it, my notes, questions and thoughts on VMware vShield Zones. Its not a deep analysis, more of a dump of my reading notes. I figured best to know what it is and any limitations before doing a download and running it up in a lab!


The few blog posts that have been made

VMware acquired Blue Lane Technologies (http://www.bluelane.com/) in October 2008. For the details read over the VMware acquires Blue Lane and VMware goes deeper into Security world posts at virtualization.info.

What does it do?

You can think of vShield as providing firewalls inside your ESX hosts. Each host runs one or more vShields which is a VM (provided as an OVF) which acts as a bridge between the real network and your Virtual Machines. These numerous vShield machines are all managed by a central vShield Manager (also provided as an OVF, one per vCenter Server).

The vShield creates two zones, one protected and the other unprotected. The traffic enters the protected zone from the unprotected zone. As it crosses the zones the vShield performs traffic analysis, discovery and stateful firewall protection.

For each vSwitch with a pNIC you will need to deploy a separate vShield to create a protected zone off it.

The Virtual Machines protected by a vShield all sit within a port group so they can freely talk to each other within the zone, the port group has Promiscuous Mode turned on.

The vShield Virtual Machine itself has three vNICs. One is for the management interface to talk to the vShield Manager. The second is for the portgroup of the protected machines and the third for the portgroup of the unprotected machines.

Here is what it looks like logically in a slide from the VMworld session.

You can see in the right hand side there are two port groups on the vSwitch that has the pNics, one is the management port group and the other is the un-protected port group. The vShield has a vNIC into each of these, it then acts as the bridge/firewall into the isolated vSwitch that contains the protected port group where the protected virtual machines will now live.

Stateful Firewall Protection (VM Wall)

You create firewall rules based on traffic direction, application protocols and ports and specific source-to-destination parameters. Rules are placed at the DataCenter or the Cluster level.

Rules can be Layer 4 or Layer 2/Layer 3. Layer 2/Layer rules which govern things such as ICMP, ARP etc are enforced at the datacenter level only.

Traffic Analysis (VM Flow)

By inspecting each passing packet the vShields gathers information which is aggregated into the vShield Manager. This then becomes a forensic tool to detect services, examine inbound and outbound sessions and forms an easy way to create VM Wall access rules.

You can view the statistics at either the DataCenter, Cluster, vShield instance or individual Virtual Machine level. It shows the last seven days but you can select a date range. You can drill down through the data.

Virtual Machine Discovery

vShield builds an inventory of Virtual Machines showing the operating systems, applications (ports) and open ports on each virtual machine. Discovery is either continuous, run on demand or run on a schedule. Periodic discovery conflicts with continuous discovery and scheduling a periodic terminates the continuous one and does not re-enable it.

User Interface

You interact with the Manager via a web interface or a CLI. There is also a vSphere Client plug-in. The user authentication is different for the web and CLI interfaces and neither is integrated with vCenter Server or a central authentication system such as LDAP. For vShield Manager you can have different roles and rights, these are created and maintain within vShield Manager and there is no integration with vCenter Server. The CLI has either a Basic (read-only) or a Privileged mode.

What does it Cost?

vShield Zones is included in the Advanced, Enterprise and Enterprise Plus editions of vSphere 4.

Notes and Limitations

  • By default any machine in a vShield zone can not be vMotioned. This is because it on a vSwitch that is not connected to a pNIC and hence VMotion assumes its connected to a virtual intranet. If you build the environment so that all the ESX hosts have the right vShields and port group names you can allow VMotion. If you use the automatic deployment it should be setup this way. However to do this you need to go and hack the vpxd.cfg file for vCenter Server and change the setting for VMonVirtualIntranet. My issue with this is its an all or nothing setting. What if you actually do have a vSwitch that is isolated to do some testing or something, a VM on it may now get VMotioned, you will need to remember to go and turn VMotion off for any of those VMs which are exceptions. I can see someone forgetting this detail and things getting screwy.
  • As Layer 2/Layer rules are enforced at the datacenter level only I suspect that if you have two Clusters in a DataCenter you can’t have one which will allow ICMP and the other not, which could be a real annoying limitation.
  • You can backup the data from the vShield Manager to a remote SFTP or FTP server. This can be done manually or scheduled. It creates a unique filename per backup.
  • Updates are done via downloading them to your PC and then uploading them to the vShield Manager. The vShield Manager updates all the vShield instances. It looks like reboots are required for updates of the vShields which I imagine would cause a network outage.
  • It does work with normal vSwitches and vNetwork Distributed Switches. However for vNDS you have to set everything up manually, it can’t auto deploy itself.
  • If you want to keep your vSwitch names the same as they were before you implemented vShield you will need to deploy manually and move to a temporary vNDS and then recreate the protected group with the original name.
  • There are a few references to Blue Lane in the documentation. In the CLI reference there were 31 commands which are listed and then in the description it says “Deprecated. Do not use.”
  • You can delete all previously recorded Flows but there is nothing in the documentation about rollup or archiving. What type of rollup does it do on the statistics gathered? Can you change the settings?
  • You need to disable HA and DRS on the vShields which is easy to do and makes sense.
  • It does note like Distributed Power Management (DPM), see the release notes.
  • You can’t have two datacenters with the same name within your vCenter Server.
  • The default user account for the vShield Manager user interface is not linked to the default CLI user account for a vShield Zones virtual machine. These accounts are managed separately. Also, the default CLI user account is unique to each vShield Zones virtual machine.
Now you should have a basic feel for what vShield is and some of its quirks. To progress have a read of the documentation but having just read them all there is not a lot of further detail. Next port of call if you are interested would be to either watch the VMworld recording, which has a few very quick screen shots of the interface (but very hard to tell any detail) , or otherwise download and run it up and have a play. It does not look very hard to get running in the form of a small pilot or trial.

If you have any experiences with vShield post in the comments, likewise if you notice any errors in my notes.

Enjoy, Rodos

UPDATE : This post and vShield Zones was discussed in the VMTN Podcast #52 which you can listen to, skip to 48:20.

Cisco UCS Resources

Thursday, June 11, 2009 Category : , 2

Some Cisco Unified Computing System (UCS) linkage goodness.

This page will always be a work in progress as I will update it as I come across useful resources. If you have a useful resource drop in a comment with the details. If you want an easy page to remember or bookmark a permanent link is http://haywood.org/ucs/.


  • Project California: a Data Center Virtualization Server - UCS (Unified Computing System) by Silvano Gai, Tommi Salli, Roger Andersson.
Press Releases and News Items

Nehalem Memory with Catalina

Wednesday, June 10, 2009 Category : , 5

I am not known for being a tin fan, give me some half decent hardware to run VMware and I am usually happy. However with Nehalem (5500) I have started to become interested. After all the 5500 is being touted as great for virtualisation for many reasons.

Aaron Delp did an introduction to memory on Nehalem on Scott Lowe's blog, which is a great read. Aaron does a good job of helping to understand the decisions around memory selection and memory speed.

What I wanted to add was some details about how the situation is different on the Cisco UCS blades, in particular the expanded memory blade, the UCS B250-M1. This blade has the Cisco ASIC memory extension architecture that lets it address up to 4 times the memory of a standard Nehalem processor. This ASIC is called Catalina.

What Catalina does is expand the number of memory sockets that can be connected to each single memory bus. The ASIC is inserted between the processor and the DIMMs on the memory bus, minimizing the electrical load, thus bypassing the control signal limitations of the Nehalem CPU design. Being done at the electrical level its completely transparent to the OS. The BIOS is extended to initialize and monitor the ASIC and to perform error reporting.

In order to increase the number of memory sockets without sacrificing memory bus clock speed, the ASIC adds a small amount of latency to the first word of data fetched. Subsequent data words arrive at the full memory bus speed with no additional delay. The first word delay is in the order of 10% but I have heard from some spies that testing shows this is looking like a non-issue. Its especially a non-issue compared to the constant 10% latency hit and 28% drop in bandwidth you would get if you populated the channels in the normal Nehalem way.

What this means is that with the B250-M1 you can get the best price/performance ratio whilst either having the largest amount of RAM possible with expensive high density DIMMs or a large/medium memory configuration with inexpensive DIMMs.

If you have been watching the UCS space you will have noticed that Cisco Rack servers were recently announced. Low and behold the UCS C250-M1 has the extended memory Catalina ASICs too.

To think of all that talk that UCS was just a bit of tin with some networking hidden inside.

If you want more details on Catalina see the Cisco Extended Memory Whitepaper.

If you have any insights (maybe you are a tin person), drop a note in the comments. These will certainly make some sweet ESX hosts!


Powered by Blogger.