13 December, 2012

Protecting against Denial Of Service attacks with new VDS feature

One of the VMware Virtual Distributed Switch enhancements is the BPDU-Filter. BPDU stands for Bridge Protocol Data Unit, these packets are exchanged between physical switches as part of the Spanning Tree Protocol. STP is used to prevent network loops and is used on physical switches.
A physical switch determent's on BPDU exchange if a specific port should be in a forwarding- or blocking state.
VMware's virtual switches do not support STP and therefore doesn't exchange BPDU packets, the VDS will simply drop the packet.
A best practice for VMware host facing ports is to enable portfast and BPDU guard. With this best practice the following scenario could cause to a complete uplink to fail. If a VM is compromised in some way and this VM starts to generate BPDU packets it will travel to the physical switch and this will block the port as a result of the BPDU guard settings it has.
The result is a uplink down and the vSphere host will try to move the VM to a other uplink which will result in a other uplink down and in worst case scenario it could cause a cluster wide fail.
The BPDU-Filter feature will make the VDS (VSS as well) drop the BPDU-packet coming from the VM.

For more details and how to configure it please visit the VMware blog

05 December, 2012

vSphere Data Protection error and Time sync

When using VDP it is crucial to have a correct NTP configuration on the VDP appliance and on the SSO server. Those two need to be in sync in order to function properly.
Jeff Hunter wrote a article on the VMware vSphere blog explaining the details and also the proper NTP configuration that will solve this issue.

03 December, 2012

Disabling HotAdd/Hotplug in Virtual Machines

The Hotadd/ Hotplug feature introduced in ESX(i) 4 gives VM users (with OS administrator rights) the possibility to "eject" hardware inside the VM. By doing this it removes the hardware inside the VM aswel as from the VM configuration. Hardware that can be "ejected" which can cause a serious issue on the functionality of the VM are network cards SCSI adapters and virtual disks.
There is a VMware kb article on this "issue" KB: 1012225

The kb article gives a work-a-round solution by disabling the Hotplug capability of the VM. This can be done by: using the vSphere client or by editing the .vmx file of your VM. This will disable all Hotplug capability except CPU and Memory.
Editing the .vmx file can only be done when the VM is powered off, but you can do it more easy by using a PowerCLI script. Example below (Script provided by Massimiliano Giarda).

Although this is a quick solution to the problem, there is also a alternative way of preventing "accidental" removal of hardware. You can change the appropriate setting in the Windows registry, but as this setting is in the SYSTEM part, you will need to change the registry upon every boot / reboot of the VM. At best it is done by running it as (part of) the computer startup script.

Below the registry setting to disable harddisk eject:

:: Disable eject hard disk
:: Original value: 6
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&1f16fef7&0&00A8" /v Capabilities /t REG_DWORD /d 2 /f

Below the registry setting to disable network card eject:

:: Disable eject network card
:: Original value: 6
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\4&3ad87e0a&0&0088" /v Capabilities /t REG_DWORD /d 2 /f

02 December, 2012

Main reason for the existence of this blog

First of the main reason why I started this little blog. The way for me to study and I mean really " soak up" and understand all information I go thru, I found that the best way for me to do this is by writing it up and make it presentable to others. I first found out this when I was preparing a slide deck for a presentation to "pass" information I gathered during the EMEA VMworld 2012 in Barcelona. The purpose for this presentation was to pass the most interesting information to my colleagues at the company I work for. This made me to really dig and get as much details on the subjects I was presenting on, by doing this I noticed two things.
First was actually amazed how much of the huge pile of information of all joined sessions was still present and ready to use in my mind, I did not expect this but I am glad it did. And secondly I found that getting prepaired for this presentation was the drive I need to focus. So as I recently started to prepare for the VMware VCAP exams, I thought I would pick up the same "study methode" but don't want to "bother" my colleagues with loads of 100+ slides slidedeck style presentations.
So why not put it on a blog and share it with whoever wants to read it ?

I hope it will give you information and maybe even some inspiration on the wide topic " Virtualization & Cloud computing.