Wednesday, March 25, 2015

Network I/O Control Version 3 and vSphere 6

Network I/O Control V4 and vSphere 6

VSphere 6 introduces a new version of Network I/O Control. This new version allows network reservations at the vnic level. What follows is a simple demonstration on how to set this up. This allows the critical virtual machines to have a guaranteed amount of network bandwith. This feature is compatible with DRS.

Note: Althought the vSphere Client can connect to the vCenter Server, you can't use the C Sharp client for this. Notice the following error:

Step 1. Create a Distributed Virtual Switch and migrate at least one vm to it. Make sure that Network I/O Control is enabled. This is what it should look like once you finish.

Step 2: Go to the Networking View, select Manage and specify the network related reservation for the Virtual Machine Traffic system defined pool. 

Step 3: Create your User Define Network Pool and specify its reservation.

Step 4: Associate your Port Group to your Network Pool.

Step 5: Specify the reservation at the vm level by editing its settings.

Tuesday, March 24, 2015

VDP 6 Installation, Configuration, Backups and Restores

VDP 6 is the latest version of VDP. New features include agents that enable application-consistent backup and reliable recovery of applications like Exchange, SharePoint and Sql Server. External proxies are now available to be deployed in remote locations such as other vSphere clusters in the same site or across sites to minimize network bandwith impact and improve overall performance. VDP is included with Essentials Plus and higher.


1. Deploy from OVA after downloading from

2. Configuration: 

Once the appliance reboots, connect to it using https://ip_of_vdp:8543/vdp-configure. Log in as root; the default password id "changeme".

Note: Once the reboot is done, log in again using the same URL to view some recovery options.

3. Backup

Log into the Web Client and select the newly added VDP Icon. Connect to the appliance and select the vm to backup.

4. Restore

Restore the virtual machine by selecting the vm and clicking on the Restore Icon. You can restore it in the same location or a different one.

Improvements to Lockdown Mode

Lockdown Mode Past and Present

vSphere 6 introduces changes to Lockdown Mode and the DCUI overall to provide more granularity and flexibility. In the past (5.5 and before), lockdown mode was disabled by default and if enabled, users could not log in directly to the esxi host nor could they use SSH even if SSH was enabled. If the vCenter was not available, root had to disable Lockdown Mode in order to connect to the esxi host via the vSphere Client.

vSphere 6 not only has the disabled (still the default) and enabled mode but introduced new choices. If enabled, lockdown mode could be set to Normal Mode or Strict Mode. In Normal mode, privileged
users can log into to the esxi host using the vsphere client or use the DCUI. In strict mode, the DCUI
is turned off but those privilege users can still log into the esxi host using the vSphere Client.

Here are some captures:

1. This is the default.

2. These are the choices.

3. If Enabled via Normal mode, this is what you see. As is, nobody can launch the vSphere Client and successfully connect to the esxi host directly. Yet, the dcui is still available.

4. If you decide to change it to Strict Mode, you get this warning. Before you do this, you may want to create a list of Exception Users.

5. vSphere 6 introduces the ability to create a list of Exception Users. These users will still have access to the esxi host via the vSphere Client if the vCenter Server is unavailable. To do this click on Edit to add the valid user with permissions. Domain accounts can be added to this list.

6. Notice the next two captures. The user is able to log in directly to the esxi host in both Normal and Strict Mode.

7. Despite the fact that those users can log in the esxi host via the vSphere Client, the DCUI is not running in Strict Mode. This is what you see in vSphere 6 if Lockdown Mode is in Strict Mode.


Lockdown Mode and the ESXi Shell and SSH Services

Strict lockdown mode stops the DCUI service. However, the ESXi Shell and SSH services are independent of lockdown mode. For lockdown mode to be an effective security measure, ensure that the ESXi Shell and SSH services are also disabled. Those services are disabled by default.

When a host is in lockdown mode, users on the Exception Users list can access the host from the ESXi Shell and through SSH if they have the Administrator role on the host and if these services are enabled. This access is possible even in strict lockdown mode. Leaving the ESXi Shell service and the SSH service disabled is the most secure option.