Nuffnang

Monday, November 26, 2012

Configuring IPv6 and IPsec on vSphere ESX, ESXi 4.1 and ESXi 5.x

VMware vSphere ESX/ESXi 4.1 supports IPv4 and IPv6, though IPv6 support is disabled by default. This article provides steps to enable IPv6, and optionally configure IPsec for IPv6 VMkernel traffic.

VMware vSphere ESX/ESXi 4.1 supports IPv6 for use with the Service Console and VMkernel management interfaces, and is compatible with Software iSCSI, vMotion, High Availability (HA) and Fault Tolerance (FT).
Note: IPv6 is not supported for a dependent hardware iSCSI adapter or with TCP Checksum Offload.

Enabling IPv6 on vSphere ESX/ESXi 4.1

IPv6 support can be enabled or disabled on a vSphere ESX/ESXi 4.1 host using the vSphere Client, the console or using the vSphere Command-Line Interface. Enabling IPv6 requires a reboot to take effect.
To enable IPv6 using the vSphere Client:
  1. Connect to the host or vCenter Server using the vSphere Client.
  2. Select the host in the inventory and click the Configuration tab.
  3. Under the Hardware section, click the Networking link.
  4. In the Virtual Switch view, click the top-level Properties link.
  5. Select Enable IPv6 support on this host system.
  6. Click OK.
  7. Reboot the host for changes to take effect.

    Note: To disable IPv6, deselect the checkbox and reboot.
To enable IPv6 using the console or vCLI commands:
  1. Open a console to the ESX or ESXi host, or to the location the vCLI is installed. For more information, see:
  2. Enable IPv6 support on the VMkernel network interfaces using one of the commands:

    • At the console: esxcfg-vmknic --enable-ipv6 true
    • Using the vCLI: vicfg-vmknic --enable-ipv6 true

  3. For ESX only, additionally enable IPv6 support for the Service Console network interfaces using the command:

    • At the console: esxcfg-vswif --enable-ipv6 true

  4. Reboot the host for the changes to take effect.

    Note: To disable IPv6, replace true with false in the commands and reboot.

Configuring IPv6 interface addresses on vSphere ESX/ESXi 4.1

IPv6 addresses can be configured for VMkernel and Service Console network interfaces using the vSphere Client or using the command line.
To set an IPv6 address using the vSphere Client, see VMkernel Networking Configuration and Service Console Configuration in the ESX/ESXi 4.1 Configuration Guide.
To set an IPv6 address for a VMkernel network interfaces using the console or vCLI, use one of the commands:
esxcfg-vmknic --ip X:X:X:X::/X PortgroupName
vicfg-vmknic --ip X:X:X:X::/X PortgroupName
To set an IPv6 address for a Service Console network interface using the console, use the command:
esxcfg-vswif --ip X:X:X:X::/X vSwifName
Configuring IPsec for IPv6 on vSphere ESXi 5.x
In ESXi 5.x, you can use the esxcli commands from the command line to enable/disable IPv6. This allows you to restart the ESXi host later, instead of forcing you to restart it immediately.
To determine if IPv6 is currently enabled, run this command:
 
esxcli system module parameters list -m tcpip3
 
This command returns one of these values:
  • 1 – Indicates that IPv6 is enabled
  • 0 – Indicates that IPv6 is disabled 
To disable IPv6, run this command:
 
esxcli system module parameters set -m tcpip3 -p ipv6=0
Alternatively, to enable IPv6, set ipv6 to 1.
 

Configuring IPsec for IPv6 on vSphere ESX/ESXi 4.1

Internet Protocol Security (IPsec) secures IP communications coming from and arriving at an ESX/ESXi host. VMware vSphere ESX/ESXi 4.1 supports IPsec using IPv6 with manual key exchange for VMkernel network interfaces only.
When IPsec is enabled on a host, authentication and encryption of incoming and outgoing packets is performed. When and how IP traffic is encrypted depends on configuration of the system's security associations and policies. For more information, see the Internet Protocol Security section of the ESX/ESXi Server Configuration Guide.
Configuration can be performed from the ESX/ESXi host console using the esxcfg-ipsec command, or remotely via the vSphere Command-Line Interface using the vicfg-ipsec command. Configuration of IPsec cannot be performed using the vSphere Client. The two commands have the same syntax, and only vicfg-ipsec is used in subsequent examples. For more information, see the vSphere Command-Line Interface documentation and the vicfg-ipsec command reference.
  • To add a Security Association (SA), use the command:

    vicfg-ipsec --add-sa --sa-src x:x::/x --sa-dst x:x::/x --sa-mode transport --ealgo null --spi 0x200 --ialgo hmac-sha1 --ikey key SAName

  • To add a Security Policy (SP), use the command:

    vicfg-ipsec --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action ipsec --sp-mode transport --sa-name SAName SPName

    For example, to add a generic security policy with default options:

    vicfg-ipsec --add-sp --sp-src any -sp-dst any --src-port any --dst-port any --ulproto any --dir out --action ipsec --sp-mode transport --sa-name SAName SPName

    For example, to add a security policy to filter traffic like a firewall:

    vixcfg-ipsec --add-sp --sp-src x:x::/x --sp-dst x:x::/x --src-port 100 --dst-port 200 --ulproto tcp --dir out --action discard SPName

  • To list the defined Security Associations and Security Policies, use the commands:

    vicfg-ipsec --list-sa
    vicfg-ipsec --list-sp
  • To delete a defined Security Association or Security Policy, use the commands:

    vicfg-ipsec --remove-sa SANamevicfg-ipsec --remove-sp SPName

Sunday, November 18, 2012

Why upgrade to Windows 2012 Server

1: Freedom of interface choice

A Server Core installation provides security and performance advantages, but in the past, you had to make a commitment: If you installed Server Core, you were stuck in the “dark place” with only the command line as your interface. Windows Server 2012 changes all that. Now we have choices.
The truth that Microsoft realized is that the command line is great for some tasks and the graphical interface is preferable for others. Server 2012 makes the GUI a “feature” — one that can be turned on and off at will. You do it through the Remove Roles Or Features option in Server Manager.

2: Server Manager

Speaking of Server Manager (Figure A), even many of those who dislike the new tile-based interface overall have admitted that the design’s implementation in the new Server Manager is excellent.

Figure A


Server Manager
One of the nicest things about the new Server Manager is the multi-server capabilities, which makes it easy to deploy roles and features remotely to physical and virtual servers. It’s easy to create a server group — a collection of servers that can be managed together. The remote administration improvements let you provision servers without having to make an RDP connection.

3: SMB 3.0

The Server Message Block (SMB) protocol has been significantly improved in Windows Server 2012 and Windows 8. The new version of SMB supports new file server features, such as SMB transparent failover , SMB Scale Out, SMB Multichannel, SMB Direct, SMB encryption, VSS for SMB file sharing, SMB directory leasing, and SMB PowerShell. That’s a lot of bang for the buck. It works beautifully with Hyper-V, so that VHD files and virtual machine configuration files can be hosted on SMB 3.0 shares. A SQL system database can be stored on an SMB share, as well, with improvements to performance. For more details about what’s new in SMB 3.0, see this blog post.

4: Dynamic Access Control (DAC)

Even though some say Microsoft has shifted the focus away from security in recent years, it would be more accurate to say it has shifted the focus from separate security products to a more “baked in” approach of integrating security into every part of the operating system.
Dynamic Access Control is one such example, helping IT pros create more centralized security models for access to network resources by tagging sensitive data both manually and automatically, based on factors such as the file content or the creator. Then claims based access controls can be applied. Read more about DAC in my “First Look” article over on Windowsecurity.com.

5: Storage Spaces

Storage is a hot — and complex — topic in the IT world these days. Despite the idea that we’re all going to be storing everything in the public cloud one day, that day is a long way off (and for many organizations concerned about security and reliability, it may never happen). There are myriad solutions for storing data on your network in a way that provides better utilization of storage resources, centralized management, and better scalability, along with security and reliability. Storage area networks (SANs) and network attached storage (NAS) do that, but they can be expensive and difficult to set up.
Storage Spaces is a new feature in Server 2012 that lets you use inexpensive hard drives to create a storage pool, which can then be divided into spaces that are used like physical disks. They can include hot standby drives and use redundancy methods such as 2- or 3-way mirroring or parity. You can add new disks any time, and a space can be larger than the physical capacity of the pool. When you add new drives, the space automatically uses the extra capacity. Read more about Storage Spaces in this MSDN blog post.

6: Hyper-V Replica

Virtualization is the name of the game in the server world these days, and Hyper-V is Microsoft’s answer to VMware. Although the latter had a big head start, Microsoft’s virtualization platform has been working hard at catching up, and many IT pros now believe it has surpassed its rival in many key areas. With each iteration, the Windows hypervisor gets a little better, and Hyper-V in Windows Server 2012 brings a number of new features to the table. One of the most interesting is Hyper-V Replica.
This is a replication mechanism that will be a disaster recovery godsend to SMBs that may not be able to deploy complex and costly replication solutions. It logs changes to the disks in a VM and uses compression to save on bandwidth, replicating from a primary server to a replica server. You can store multiple snapshots of a VM on the replica server and then select the one you want to use. It works with both standalone hosts and clusters in any combination (standalone to standalone, cluster to cluster, standalone to cluster or cluster to standalone). To find out more about Hyper-V replica, see this TechNet article.

7: Improvements to VDI

Windows Terminal Services has come a long way, baby, since I first met it in Windows NT TS Edition. Renamed Remote Desktop Services, it has expanded to encompass much more than the ability to RDP into the desktop of a remote machine. Microsoft offered a centralized Virtual Desktop Infrastructure (VDI) solution in Windows Server 2008 R2, but it was still a little rough around the edges. Significant improvements have been made in Server 2012.
You no longer need a dedicated GPU graphics card in the server to use RemoteFX, which vastly improves the quality of graphics over RDP. Instead, you can use a virtualized GPU on standard server hardware. USB over RDP is much better, and the Fair Share feature can manage how CPU, memory, disk space, and bandwidth are allocated among users to thwart bandwidth hogs. Read more about Server 2012 VDI and RDP improvements here.

8: DirectAccess without the hassle factor

DirectAccess was designed to be Microsoft’s “VPN replacement,” a way to create a secure connection from client to corporate network without the performance drain and with a more transparent user experience than a traditional VPN. Not only do users not have to deal with making the VPN work, but administrators get more control over the machines, with the ability to manage them even before users log in. You apply group policy using the same tools you use to manage computers physically located on the corporate network.
So why hasn’t everyone been using DirectAccess with Server 2008 R2 instead of VPNs? One big obstacle was the dependency on IPv6. Plus, it couldn’t be virtualized. Those obstacles are gone now. In Windows Server 2012, DirectAccess works with IPv4 without having to fool with conversion technologies, and the server running DirectAccess at the network edge can now be a Hyper-V virtual machine. The Server 2012 version of DA is also easier to configure, thanks to the new wizard.

9: ReFS

Despite the many advantages NTFS offers over early FAT file systems, it’s been around since 1993, and Windows aficionados have been longing for a new file system for quite some time. Way back in 2004, we were eagerly looking forward to WinFS, but Vista disappointed us by not including it. Likewise, there was speculation early on that a new file system would be introduced with Windows 7, but it didn’t happen.
Windows Server 2012 brings us our long-awaited new file system, ReFS or the Resilient File System. It supports many of the same features as NTFS, although it leaves behind some others, perhaps most notably file compression, EFS, and disk quotas. In return, ReFS gives us data verification and auto correction, and it’s designed to work with Storage Spaces to create shrinkable/expandable logical storage pools. The new file system is all about maximum scalability, supporting up to 16 exabytes in practice. (This is the theoretical maximum in the NTFS specifications, but in the real world, it’s limited to 16 terabytes.) ReFS supports a theoretical limit of 256 zetabytes (more than 270 billion terabytes). That allows for a lot of scaling.

10: Simplified licensing

Anyone who has worked with server licenses might say the very term “simplified licensing” is an oxymoron. But Microsoft really has listened to customers who are confused and frustrated by the complexity involved in finding the right edition and figuring out what it’s really going to cost. Windows Server 2012 is offered in only four editions: Datacenter, Standard, Essentials, and Foundation. The first two are licensed per-processor plus CAL, and the latter two (for small businesses) are licensed per-server with limits on the number of user accounts (15 for Foundation and 25 for Essentials).

Tuesday, November 13, 2012

Public Cloud vs Private Cloud



Where public cloud services are suitable:
  1. Where there is "limited exposure to heavy infrastructure investments such as mainframes and enterprise applications."
  2. Where IT staff is more likely to have been brought up in the days of rapid development, virtualization automation, services on demand, or open source.
  3. In a smaller business, where there is greater flexibility and agility in decision making.
  4. Where there is a need for rapid turnaround and faster time to marker for new application.
  5. Where IT staff is less likely to feel "emotional" attachment to a SAN or working on servers -- and therefore "less likely to feel threatened by an external provider."

Where private cloud services should be created:
  1. In companies with a "decade plus of investment in IT staff,  infrastructure and enterprise applications."
  2. In industries where "regulatory and financial controls are stricter, more comprehensive and carry greater risk when failure occurs."
  3. In risk-averse companies where "business change takes much longer."
  4. In organizations with "dedicated staffing for very specific roles, which makes it harder to unify quickly around a major change to infrastructure or applications."
  5. Where a larger infrastructure base allows for "deeper staff knowledge and improved economies of scale.'

Thursday, November 8, 2012

Processor and memory capabilities of Windows XP Professional x64 Edition and of the x64-based versions of Windows Server 2003

The number of processors and the amount of physical RAM that are supported

The following table compares the number of processors and the amount of physical RAM that are supported by the x64-based versions of Windows Server 2003 and by Windows XP Professional x64 Edition to those that are supported by the 32-bit versions.
Operating systemNumber of processorsPhysical RAM
Microsoft Windows Server 2003, Standard Edition44 gigabytes (GB)
Microsoft Windows Server 2003, Standard x64 Edition432 GB
Microsoft Windows Server 2003, Enterprise Edition864 GB
Microsoft Windows Server 2003, Enterprise x64 Edition81 terabyte
Microsoft Windows Server 2003, Datacenter Edition3264 GB
Microsoft Windows Server 2003, Datacenter x64 Edition641 terabyte
Microsoft Windows XP Professional24 GB
Microsoft Windows XP Professional x64 Edition2128 GB
Notes 
  • x86-based versions of Windows Server 2003 that are running on a computer that uses a multicore processor or a hyper-threading processor support a maximum number of 32 logical processors.
  • x64-based versions of Windows Server 2003 that are running on a computer that uses a multicore processor or a hyper-threading processor support a maximum number of 64 logical processors.

Memory allocation settings

The following table compares the memory allocation settings that are supported by the x64-based versions of Windows Server 2003 and Windows XP Professional x64 Edition to those that are supported by the 32-bit versions.
Memory allocation settings32-bit versionsx64-based versions
Total amount of virtual address space4 GB16 terabytes
Amount of virtual address space per 32-bit process2 GB (3 GB if the /3GB switch is added to the Boot.ini file)2 GB (4 GB if the /LARGEADDRESSAWARE option is used)
Amount of virtual address space for the 64-bit processesNot applicable8 terabytes
Amount of paged pool memory470 megabytes (MB)128 GB
Amount of non-paged pool memory256 MB128 GB
Size of system cache1 GB1 terabyte
For more information about the x64-based versions of Windows Server 2003, visit the following Microsoft Web site: For more information about Windows XP Professional x64 Edition, visit the following Microsoft Web site:http://www.microsoft.com/windowsxp/64bit/default.mspx

Sunday, November 4, 2012

How does VMware Compare to Windows Server 2012 Hyper-V?


System
Resource
Windows Server 2012 Hyper-V
VMware vSphere Hypervisor
VMware vSphere 5.0 Enterprise Plus
Host
Logical Processors
320
160
160
Physical Memory
4TB
32GB
2TB                              
Virtual CPUs per Host
2,048
2,048
2,048
VM
Virtual CPUs per VM
64
8
32
Memory per VM
1TB
32GB
1TB
Active VMs per Host
1,024
512
512
Guest NUMA
Yes
Yes
Yes
Cluster
Maximum Nodes
64
N/A
32
Maximum VMs
4,000
N/A
3,000