WilliamLam.com

Native MAC Learning in vSphere 6.7 removes the need for Promiscuous mode for Nested ESXi

by // 41 Comments

Over the years, several solutions have been developed here and here to help reduce the impact of promiscuous mode, which is a requirement for running Nested ESXi as a workload. Although these solutions worked extremely well, it however did require users to install additional software to enable this functionality. The most recent solution was a new Learnswitch VMkernel module (released as a VMware Fling) that enables MAC learning capabilities on ESXi.

Today, I am pleased to announce that with the release of vSphere 6.7, the MAC Learning functionality is now available as a native feature of the VMware Distributed Virtual Switch (VDS) and as some of you may have guessed from the title, promiscuous mode is also no longer a requirement for running Nested ESXi! I wanted to take a moment and thank Subin, Jobin, Sriram, Rajeev & Samuel from our Network and Security Business Unit (NSBU) at VMware who worked tirelessly to get this integrated and productized into ESXi. Not only will this benefit Nested ESXi workloads but also other solutions and use cases that have historically required the use of promiscuous mode. For customers who are still running ESXi 6.0 or 6.5, you should continue to use the Learnswitch Fling until you fully upgrade to vSphere 6.7.

To use the new MAC Learning functionality, you will of course need to upgrade to vSphere 6.7 (both vCenter and ESXi) but also upgrade to the latest VDS version which is 6.6. MAC Learning can be enabled on a per Distributed Virtual Portgroup bases and today, it is only available when using the vSphere API. For those that have used the VDS API to manage their VDS, you will simply use the existing ReconfigureDVPortgroup_Task() method and in 6.7, there now a new macManagementPolicy property which allows you to enable and define your MAC Learning settings. This new MAC Management Policy will also be the new preferred method for managing security policies going forward for a DV Portgroup and the previous security policy settings should no longer be used.

Disclaimer: Nested ESXi is still not officially supported by VMware. Please use at your own risk.  [Read more...]

Nested ESXi 6.7 Virtual Appliance Updates

by // 34 Comments

I know many of you have been pinging me the last couple of days for an updated Nested ESXi 6.7 Virtual Appliance and I have just finished my strict quality control process 🙂 The only minor change with the 6.7 appliance is the VM is now configured with EFI Firmware, where as in the past it was set to BIOS. As of vSphere 6.5+ appliances, the customization scripts are automatically removed by default which means that customers can turn on Secure Boot feature post-deployment without having to perform any manual workarounds. In addition, you will find a few more updates related to the updated ESXi appliance below. I hope you enjoy these free resources to help learn and plan for your vSphere 6.7 upgrades, Happy Friday!

Note: These solutions are all developed during off hours and does take a considerable amount of time/effort to manage and update. Although they are provided to you as a free solution, the development itself is not 🙂

o

Nested ESXi 6.7 Appliance:

ESXi 6.7 Virtual Appliance (Nested_ESXi6.7_Appliance_Template_v1.ova)

Nested ESXi Content Library

If you are using my Nested ESXi Content Library, I have updated it to include the latest 6.7 Appliance. Simply refresh your Content Library to automatically pull down the image or you can create a new Content Library by subscribing to the following URL: https://download3.vmware.com/software/vmw-tools/lib.json For more details, please take a look at this blog post here.

vGhetto vSphere Automated Lab Deployment:

For those that use my vGhetto lab deployment script to automate a fully functional vSphere environment, I have created a new version of the script to support vSphere 6.7 which you can find more details here. One neat feature that was suggested by Christian Mohn awhile back was the ability to get more insights to what is happening during the VCSA deployment since the verbosity can be quite distracting on the primary screen. There is now a new $enableVerboseLoggingToNewShell variable that is enabled by default to spawn a new PowerShell console that will watch the VCSA installer logs, so you have a better idea of what is going on.

Updated Nested ESXi 6.0u3 & 6.5d Virtual Appliances

by // 26 Comments

I finally found a bit of "extra" spare time to update my Nested ESXi Virtual Appliances to support some of the recent releases of ESXi, 6.0 Update 3 and 6.5d, which enables customers to easily and quickly deploy vSAN 6.6 in their environment for testing, development or learning purposes. If you have not used this appliance before, please have a look at this article which goes into greater detail on how to deploy and use the Nested ESXi VA.

As part of this update, I also spent some time looking at all the feedback that I had received from the community since releasing the VA and I took this opportunity to also add some nice enhancements that folks have been asking about 🙂 Jump towards the bottom to see what's new. To reduce the number of VA's that I need to manage and due to usage, the following VA's have recently been decommissioned. I only plan on supporting the latest versions which you can find in the links below.

Decommissioned VA's:

  • ESXi 5.5 Update 3 (Nested_ESXi5.x_Appliance_Template_v2.ova)
  • ESXi 6.0 Update 2 (Nested_ESXi6.x_Appliance_Template_v5.ova)
  • ESXi 6.5 GA (Nested_ESXi6.5_Appliance_Template_v1.ova)

New VA's:

What's New:

  • Support for DHCP 
    • I know this might sound pretty basic but before you were required to specify a static IP (even if you had DHCP). By default, you no longer need to fill out the networking section as highlighted in yellow below.
  • Support for default root password
    • You no longer need to provide root password, it will default to the famous VMware1! The issue in the past was that I had randomly generated a password which I discarded and when the customization failed, it was very difficult to troubleshoot since I do not actually have the password 😉 Hopefully we do not have any other bugs, but this will make debugging easier and also reduce the amount of input if you want to quickly spin up an ESXi instance.
  • Support for VLAN ID
    • Though not a huge number of requests, there were still of you who asked for 802.1q (trunk) support on Management VMkernel interface. This is an optional field and obviously this is only applicable if you provide a static IP Address.
  • Automatic removal of Customization VIB
    • As some of you may or may not know, the way in which these OVF properties are processed within the Nested ESXi instance is a special firstboot script which reads in these values and then applies the ESXi customization. If everything is successful, there really is no use for this to exists further and although you could set a certain advanced setting to force re-customization, it was quicker to just re-deploy. With that in mind, the customization VIB is now automatically removed once its done its job. I have included a special debug option that would allow it to not be deleted in scenarios where there are issues and we need to take a look at the state of the system. With this change, you really now have a "vanilla" ESXi instance 🙂
  • Fixed dvFilter param for eth1


Hope you enjoy some of these new updates and happy Nesting!