VMware vSphere:Operate,Scale and Secure [V8]

Lab Manual
Part Number EDU-EN-VSOSS8-LAB (11-JUL-2023)

Copyright©2023 VMware,Inc. All rightsreserved. This manual and its accompanying

materials are protected by U.S. and international copyrightand intellectual property laws.
VMware productsare covered by one or more patents listed at
http://www.vmware.com/go/patents.VMware is a registeredtrademark or trademark of
VMware,Inc. in the United States and/or other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respectivecompanies. VMware vSphere®
StoragevMotion®, VMware vSphere® Replication™,
VMware vSphere® HighAvailability,
VMware vSphere® VMware vSphere®
EnterprisePlus Editionâ„¢, ESXiâ„¢Shell,VMware
vSphere® VMware vSphere®
Distributed Switchâ„¢, Distributed Resource Schedulerâ„¢,
VMware vSphere® VMware vSphere®
Client™, API, VMware vSphere® 2015, VMware
vSphere®, VMware vSAN™, VMware vCenter Server®, VMware vCenter®, VMware View®,
VMware Horizon®View™, VMware Verify™, VMware Site Recovery™ for VMware Cloud™on
AWS,VMware Horizon®7, VMware Horizon®7, VMware Horizon®7 on VMware Cloud™on
AWS, VMware Cloudâ„¢on AWS GovCloud (US),VMware Cloudâ„¢on AWS Outposts,
VMware Certificate Authority.No trademark.,VMware vSphere® VMFS,VMware vSphere®
Distributed Switchâ„¢,vSphereStoragevMotion, VMware Site Recoveryâ„¢, Project Photon
OS™, VMware Photon™, VMware vSphere® Network I/O Control,VMware Pivotal Labs®
Health Check™, VMware Go™, VMware ESXi™, VMware ESX®, and VMware vSphere®
Distributed Resource Schedulerâ„¢are registeredtrademarks or trademarks of VMware, Inc. in
the United States and/or other jurisdictions.
The trainingmaterial is provided “asis,―and all express or impliedconditions, representations,
and warranties,includingany impliedwarrantyof merchantability, fitness for a particular
purpose or noninfringement, are disclaimed,even if VMware,Inc.,has been advised of the
possibilityof such claims. This material is designedto be used for reference purposes in
conjunctionwith a trainingcourse.
The trainingmaterial is not a standalone trainingtool. Use of the trainingmaterial for self-
studywithout class attendance is not recommended. These materials and the computer
programs to which it relates are the property of, and embody trade secrets and confidential
information proprietaryto, VMware, Inc.,and may not be reproduced,copied,disclosed,
transferred,adapted or modified without the express written approvalof VMware,Inc.

www.vmware.com/education
TypographicalConventions
The followingtypographicalconventions are used in this course.

Conventions Usageand Examples

Monospace Identifies command names, command options,parameters,code

fragments,error messages, filenames,folder names, directorynames,
and path names:
e Run the esxtop command.
e _...
found in the /var/log/messages file.

Monospace identifies user inputs:

Bold
Enteripconfig /release.
. :

¢

Boldface identifies user interface controls:

e
=Click the Configurationtab.
Italic identifies book titles:
e ~vSphere
Virtual Machine Administration

<> ndicates placeholdervariables:

e <ESXi_host_name>
e ...
the Settings/<Your_Name>.txtfile

www.vmware.com/education
www.vmware.com/education
Contents

Lab 1 Accessingthe Lab Environment .......cccccccsesesssssesessssessessesessesssesesteseesessesessesseseeseeseenees

Task 1: Access Your Lab Environment... ..cessesssesssnecsssecssseessseessneessnesessessnessuvessssessssesseessneesnnecsunecsaneesnneesseeesees

Task 2: Verify That the vSphereLicenses Are Valid.

ask 3: (Optional)AssignValid vSphereLicenses

Lab 2 Configuringa Centralized VMware Tools Installation Repository... 5

ask 1: Preconfigure
the Environment
Task 2: Copy the VMware Tools Packagesto a Datastore
Task 3: View the ESXi Advanced Settings... ececceccccecseeseesseseesesseeseesessecsecsessecsecsessecsecsessecsecuessecuesuestecueaneeneeneeneenee
8
Task 4: Re-create the /productLockerSYMink ....ceecseessssssessessseccsssneescsnseeecssnsseeessnsecsnnneeeesnieeessneecsnnneeeeseneeeees
9

Lab 3 DeployingvSphereReplicationand Site RecoveryInstances.1

(Simulation)
Task 1:LADSIMULATION... esceccsecsssecssseecssessssesesssecssvecsusecsuvecssvecsssecssvecssssccssecsssecsssecssuecsssesssuesessecssnvecsueessseessseeesseetennees
11

Lab 4 ConfiguringReplication
(Simulation) for a SINGIE
VM uu.
13
TASK 1: LAD SHIMUIATION eee eeceesseeseeseesseesseesseesneesnesseessessessnessecsessuessseesuessesseesueesneesueeseseeeseesseesneeensenessneeseeeeneesee
3

Lab 5 ManagingRESOUrCEPOOIS .....c.ccsessssessessssssseesessesseseeseesssssessssnsseseesssuesesseenseeseeseeneaeaees 15

Task 1: RE-COMPIGSUEE
VMS... .ceeccecesssssssecssecsseessessscenecsuecsnecsscssecsucsuecsuecsnsancsuecsuessusessesuscsnecsuecsscsuecsuessusesuscseeanecsnecsneeses
15
Task 2: Create CPU COntention ....cccecsseecssessssecsssecsssecsssecsssecsssssssscssscessvecsusessuvecssssssssessnvecsnvecsuuecsssecsnsecsseetsaneste 7
Task 3: Create Resource Pools
Task 4: Verify Resource Pool Functionality ... .

Task 5: KNOWlEdGE CheCK oo. ceccccccesssessesseesessecsssscsucssssussucssssussussussussucssssussusssssussussessussussesssessssssesessessseseesessseseeseeseesee

Lab 6 EnablingVCLS Retreat [email protected]

21
Task 1: Verifythe Cluster Domain ID... cccsssssesssesssnecssnecssnecssuessusessnsccsnsccansceussessusessusessnseeaneesteeateeeaneeensecentees
21
Task 2: Enable vCLS Retreat Mode and Monitor vCLS VMs...
Task 3: Revert the Changes
Lab 7 ConfiguringvSphereDistributed SWItCH oo... ccccecesceseeseesesseseeseeseseseesesssseeseesees
25
Task 1:Create a DIStriDUteEd
SWITCH... ec ecccececsecsessessecsneesnessnecsscsnecsnecsuccsnesuscsuscsuecsussuecsuecsuecsuecneecuesanecsneeseeeneeens 25
Task 2: Add ESXi Hosts to t
Task 3: Examine Your Distributed Switch Configuration...
Task 4: MigrateVMs to Another Distributed Switch Port Group ....ccccccccsccscessessessessessessessessessessessesseseeneaee 28

Lab 8 vSphereDistributed Switches .

Managing
Task 1: Add a New Port Grou
Task 2: Enable the VDS Heal
Task 3: Investigatethe VDS Health Check Status
Task 4: Remediate the VDS Issue.

Task 5: Deactivate the VDS Health Check Service

Task 6: Back Up the VDS Configuration
ask 7: KnowledgeCheck...

Lab 9 UsingPort Mirrori

Task 1: Prepareto CaptureMirrored Network Traffic ..
Task 2: ConfigurePort Mirroringon the Distributed SWITCH ...c.ccccccccccccsssssssesessessestesessseseestssteseesteeteseesees 37
Task 3: Verify That Port MirroringIs CapturingTrafic o.oo. cccccccccsessesseesseessesssesssessesseessessuesseesscssessseesseese 38
Task 4: Restore the Distributed Switch CoOmfiQguration ne. ceccceccccceccssecssesseessessseessecsseseecseesseesnecsesssesesesensesneess
39

Lab 10 Viewinga VSAN Datastore Configuration 41 . ......c.cceccccssssessecsesseseeseeeeeeseeeetestenees

Task 1: View a VSAN Datastore ConfiQguration.......cccccccccccscssessssesssssssssessesussue

41
Task 2: View the VSAN Default StoragePolicy 44 wo..ccccccccccccsesssssesseesessuessesseessecssecsuessesssesseessesseessecssecsuesseeseeess

Task 3: View a Virtual Machine on the VSAN Datastore uo... eceessesssseesssesssessseesseeessneessneesnneeseneeseneessneenee

44

Lab 11UsingPolicy-BaSed Storageou... cccessssessesssssssessecssssseesesseseeseesssesseesseuesesseeseaneaeeseenss

Task 1:Add Datastores for Use by Policy-Based

Storage... .cceeccccssessessessessesneesneesecseessecsnecsnecseeneecneeaneens

Task2: Use vSphereStoragevMotion to Migratea VMs Storage.

Task 3: ConfigureStorageTags.
Task 4: Create VM StoragePolicies. .

Task 5: ASSIGN StoragePOliCi€S

TO VMS .o..ececececssesesseestesessstesueseesnessesuesnesuesucsnesussussusstesneensseseesnsstesteensseesteeneeteaee 49

Lab 12 CreatingvSAN StoragePolicies

StoragePolicy
Task 1: Examine the Default
Task 2: Create a Custom Policywith No Failure Tolerance... ecceccecssessessesseesneesneesecseesnecsnecsnecsecneecneeaneens 54
Task 3: Assignthe CUStom PolicytO AVM wocccccccecsecsssesestestesesesesesssesuesnssesuesssesessstesesneatesesnseteseesneeteaes 55
Task 4: Make the VM Compliant .....c.ccccccccecssesesseestesesseesnesnesecsessnssesescsssessussessecsussesessnesnesessesaeeseeseeseeresieeaeeneeneenee
56

Lab 13 BackingUp vCenter Appliance... ccceccssesssssssessesessesseesesesseesesneseeseeseenssesseeeanenes 57

Task 1: BackupVCenter Appliance on... eecsesssesssesssessuessecssscsnecsnecsnscnscsnecsuscsusessecusssuecsuecanecussensesneesnecseaneesnecaneests 57

vi
Lab 14 UsingvSphereConfiguration Profiles oo... ccccceccssseesecsesessessessssessessessseeseesesees
59
Task 1:Configurea Cluster with a SingleImage
Task 2: Configurea Cluster with vSphereConfiguration
Profile
Task 3: Remediate the Hosts in & CIUStED ec eccecsssessseesssessseesseessneessneessuecssneessueessneeesieesneesnnessuvessineesseeesees

Lab 15 WorkingWith Certificates 0... cccccccccscssessessssessessssssessssscsesessssessessessssesessssssseeseeseaees

Task 1: Examine the Machine SSL Certificate

Task 2: Create Certificate SigningRequest
a

Task 3: Replacea Machine SSL Certificate with a PregeneratedCACertificate ..

Lab 16 MonitoringVirtual Machine Performance .
Task 1: Create a CPU Workload .

Task 2: Use Performance Charts to Monitor Host CPU US@ wo. eccecssesssiesssesseesseesseesseeeneessnesesneesnneeenee
74

Lab 17 UsingAlarms...
Task 1: Create a Virtual Machine Alarm to Monitor a Conditio im

Task 2: Triggerthe Virtual Machine Alarm un... eeccesecsessessesssesseesseesnesseesscsessueessessesseesseesusesneesesneesnessneeeeesneens

Task 3: Create a Virtual Machine Alarm to Monitor an Event..

Task 4: Triggerthe Virtual Machine Alarm
Task 5: Deactivate Virtual Machine Alarms oo... ccceescesesssesessesseesseesnessneesnessessneesuessecsnesseesneesneesesnessnessneeeeeaneets 82
Task 6: KNOWlEdGES
CHECK one. eeececcessssssesseessessssesnecsuecsnessscsnecsuscsusessecuscsnecsnssssceuscsuscsusessscuncanecsuecsusessesueesnessnessessseeeseeets
82

Lab 18 ConfiguringLOCKAOWN
Me... ccsesessessessessssesseensssseesecneseesesnsenssesseenesesseeneaeseeneenes
83
Task 1:Start the SSH ServiCe oo. ..eccecssscssesssecsssecsssecsssecsssecsssesessesesseesensecsuvesssvecssueessuessseesenseceusecssneesseecsssecseneteenes

Task 2: Enable and Test Lockdown Mode .

Task 3: Disable Lockdown Mode
Task 4: KNOWlEdGe
CHECK oo.ccecccccecsscssessessessssssssscsucsssssssucssssussusssssussucssssussussssssssussssssssussssssssessssssesessesseesessesseeseesesseeses

ConfiguringIdentityFederation to Use Microsoft ADFS.......87

Lab 19 (Simulation)
TASK1:Lal SHIMUIATION eee cceesesssesssessesseesueesnecsussuscsuecsnecsusesnesucsueesuessuesuecsuecsueesuessesueesuecsuesseesueesuessueessesneeaneeeneeene 87

Lab 20 ConfiguringvCenter to work with an external KMS

Task 1: Configurea KMS on vCenter .

Task 2: Establish Trust between KMS and VCENtEL 0... esesssesssesssesesneeesseessseesssessseeesseesneesnnecsineessneesseeeseee

Lab 21 Creatingan EncryptedVirtual Machine..

Task 1: Creatingan EncryptedVirtual Machine .

Task 2: Confirm the VM is Encryptedwith a Standard Key Provider ....cecccccseecseesseeseesecstesseeeseeseesneens

93

ANSWEDKY .ucecscssssssssssessessesessessecucsessecucsusscscsucsussesucsussessecuesussecusauesuesesuesucseeneeussesneenesusseeneaneaeeneense
95

vii
Lab 1 Accessing
the Lab Environment

Objectiveand Tasks
Access the lab environment and verify that vSpherelicenses are valid:

1. Access Your Lab Environment

2. Verify That the vSphereLicenses Are Valid

3. (Optional)AssignValid vSphereLicenses

Task 1: Access Your Lab Environment

You access and manage the lab environment from the student desktop.

The system assignedto you serves as an end-user terminal.

1. Verify that you are successfullylogged into the student desktop.

NOTE

If not, log in to your student desktopby enteringStudent01 as the user name and
VMwarel! as the password.
2. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. Onthe loginpage, enter the vCenter Server lab credentials.

User name: [email protected]

Password: VMwarel1!

You should see sa-vcsa-01.vclass.local in the vSphereClient's navigationpane.

NOTE

On the vCenter Summarytab, you may see vSAN warningmessages for SA-Compute-
02. These warningscan be safelyignored.Select Actions > Reset To green to clear the
warningmessage.

Task 2: Verify That the vSphereLicenses Are Valid

You verify that the licenses for the vCenter Server systemand the ESXi hosts are valid for Site A.
1. Verify that the licenses for the vCenter Server systemare not expired.
a. From the main menu, select Inventory and click the Hosts and Clusters icon.

b. Select sa-vcsa-01.vclass.local.

c. Inthe right pane, click the Configuretab and click Licensingunder Settings.
d. Verify that the license expirationdate for the vCenter instance is in the future.
Verify that the licenses for the ESXi hosts are valid.
a. From the main menu, select Administration and select Licenses under licensing.

b. On the Licenses page, click Assets and click the HOSTS tab.
c. View the License Expirationcolumn and conform that the license for host the ESXi hosts
are not expired.

If any license has expired,proceedto task 3.

Task 3: (Optional)AssignValid vSphereLicenses
You assignvalid licenses to these vSpherecomponentsif the vCenter Server and ESXi host
licenses are expired.
1. From the main menu, select Administration.
2. Assigna vCenter Server license key to the vCenter Server instance.

a. In the navigationpane, select Licenses under Licensing.

b. On the Licenses pane, click the Licenses tab.

Click ADD to add new licenses.

On the Enter license keys page, enter the vCenter Server and vSphereEnterprisePlus
license keys in the License keys text box. For a
list of license keys see:
WNrw5oF
https://vmware.bravais.com/s/FMuCRtkwDwalxX
You must enter the license keys on separate lines.
Verify that both licenses are listed correctly in the text box and click Next.

On the Edit license names page, enter VMware vCenter Server and VMware
ESXi in the appropriateLicense name text boxes and click Next.
On the Readyto completepage, click Finish.
In theLicenses pane, click the Assets tab and select VCENTER SERVER SYSTEMS.

Select the sa-vcsa-01.vclass.local check box and click ASSIGN LICENSE.

Select the vCenter license and click OK.

3. Assignthe vSphereEnterprisePlus license key to the ESXi hosts for Site A.

In thecenter pane, click the HOSTS tab.

Select all hosts by selectingthe check box to the left of the Asset column header.

Click ASSIGN LICENSE and click Yes to performthe action on 5 objects.

In theAssignLicense dialogbox, select the vSphereEnterprisePlus license key and click OK.
4. Reconnect the ESXi hosts.

a. From the main menu, select Inventory and click the Hosts and Clusters icon.

b. In the navigationpane, select SA-Datacenter.

c. In the right pane, click the Hosts & Clusters tab and select Hosts.
If the ESXi hosts have a status of disconnected, performsubstepsd and e.

Right-clickeach disconnected host and select Connection > Connect if not connected.

@ Verify that all ESXi hosts have a status of Connected.

Lab 2 Configuringa Centralized
VMware Tools Installation Repository

Objectiveand Tasks
Create a shared VMware Tools repository:
1. Preconfigurethe Environment
2. Copy the VMware Tools Packagesto a Datastore

3. View the ESXi Advanced Settings

4 Re-create the /productLocker Symlink

Task 1: Preconfigure
the Environment
You performsome preconfiguration
i n the vSphereClient and ESXi.

1. Login to the vSphereClient on Site A.

a. Openthe Firefox web browser and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMwarel!
 You enable the SSH service on your ESXi host.
a. From the main menu, select Inventory and click the Hosts and Clusters icon.

b. navigationpane, expandsa-vcsa-01.vclass.local,
In the SA-Datacenter and the SA-
Compute-O2cluster.
c. Inthe navigationpane, select sa-esxi-04.vclass.local.
d. Inthe rightpane, click the Configuretab.
e. Select Services under System.
f. Start the SSH service.

Services
START EDIT STARTUP POLICY...

Name Y Daemon

|
© Direct Console UI Running
© | ESXi Shell Stopped

3. Openan SSH session to SA-ESXi-04.

a. On the Linux taskbar,click Remmina

 b. If the Authentication required pop-up appears, for the passwordenter: VMwarel1!

Authentication required
The loginkeyring
did not get unlocked when you
loggedinto your computer.

c. Double-click SA-ESXi-04.

You will be logged into sa-esxi-O4.vclass.local as the root user.

NOTE

If promptedfor logincredentials,log in by enteringuser name root and password

VMwarel!

Task 2: Copythe VMware Tools Packagesto a Datastore

Verify the VMware Tools packagesare extracted and copy the files to a desired datastore
accessible to your ESXi hosts.
1. Onthe ESXi host, verify vmtools and floppiessub-directories are located in /productLocker:

cd /productLocker
ls
2. Create /vmtoolsRepo directoryin OPSCALE-Datastore:
mkdir /vmfs/volumes/OPSCALE-Datastore/vmtoolsRepo
3. Copythe vmtools and floppies sub-directories to /vmfs/volumes/OPSCALE-
Datastore/vmtoolsRepo
cp -r *
/vmfs/volumes/OPSCALE-Datastore/vmtoolsRepo
4. Verify vmtools and floppies sub-directories are located in the desired datastore:

ls /vmfs/volumes/OPSCALE-Datastore/vmtoolsRepo
5. Close the Remmina window.

Task 3: View the ESXi Advanced Settings

View the current product lockervariable in the ESXi Advanced Settingsfrom the vSphere
Client.

1. vSphereClient,filer for the UserVars.ProductLockerLocation key in Advanced

From the
SystemSettings.
a. Return to the vSphereClient browser tab.
b. Select the sa-esxi-04.vclass.local and select Configuretab.
c. Click Advanced SystemSettingsunder System.
d. Filter for Locker under Key.

Advanced SystemSettings

Key

Annotations.WelcomeMessage
[-] Value YT

C.DCacheMemReserved 400

CBRC.Enable false

e. Record the value that appears in advanced settings.

Task 4: Re-create the /productLockerSymlink
Re-create the /productLocker Symlinkon the vCenter ManagedObjectBrowser (MOB)

1. In the vSphereClient,verify the Host ID from the URL.

a. Click on sa-esxi-04.vclass.local.

b. Record the Host ID that appears in the URL.

<
Cc O & https://sa-vcsa-01 .velass.local/ui/app/host;nav=h/urn:vmomi:Hostsystemgho: bf 18ecdd-341

<
© sa-esxi-O4.vclass.local 7 ACTIONS

tes) Ss
:

(ch e acum Eee Gao FG wo cee ates!

~ (@®sa-vesa-O1.velass.local
~ GH SA-Datacenter Host Details ad Capad
~ {£)SA-Compute-o1 Lest upg

El sa-esxi-o1.vclass.local cpu

El sa-esxi-02.vclass.local 323
~ 2) _SA-Compute-o2
= === Memory
Fl sa-esxi-OS.velass.local 5.28

2. Openthe UpdateProductLockerLocation_Task
vSphereAPI directlyusingthe Host ID:

a. In Firefox, open a new tab and enter https://<vcenter_fqdn>/mob/?moid=<host

ID>&method=updateProductLockerLocation
in the URL replacingthe vCenter FQDN
and Host ID
For example:
https://sa-vcsa-01.vclass.local/mob/?moid=host-
1012&method=updateProductLockerLocation.
3. Log in to sa-vcsa-01.vclass.local MOB by [email protected]
for the user name and VMwarel1! for the password.

4. Updatethe /productLocker symlinkby invokingupdateProductLockerLocation

vSphereAPI
with the datastore containingthe vmtools directory:

a. In the MOB,update the VALUE tab with the datastore: /vmfs/volumes/OPSCALE-

Datastore/vmtoolsRepo
b. Click on Invoke Method to apply the setting.
You will see a task created below.
stringUpdateProductLockerLocation
Task

ath
equted)
| | sting [/mnevohumex/OPSCALE-DatastorefmmtoolsRepo

Method
invocation Result:ManagedObjectReterence
 View the updatedproductlocker variable in the ESXi Advanced Settingsfrom the
vSphereClient.
a. Return to the vSphereClient browser tab.
b. Select the sa-esxi-04.vclass.local and select Configuretab.
c. Inthe Advanced SystemSettingsview, filter for ProductLockerLocation and verify the
value has been updated.

Advanced SystemSettings

Key @ | Value | Summary

UserVars.ProductLockerLocation vmfs/volumes/OPSCALE-Datastore/vmtoolsRepo Path to VMware Tools and vSphere Client repository

Close the ManagedObjectBrowser tab in the browser.

Return to the vSphere Client and disable the SSH service on your ESXi host.
a. From the main menu, select Inventory and click the Hosts and Clusters icon.

b. In the navigationpane, select sa-esxi-04.vclass.local.

c. Inthe rightpane, click the Configuretab.
d. Select Services under System.
e. Stop the SSH service.

10
Lab 3(Simulation)DeployingvSphere
Replicationand Site Recovery
Instances

Objectiveand Tasks
DeployvSphereReplicationand Site RecoveryInstances:
1. Deployand Registerthe On-Premises vSphereReplicationInstance with vCenter

2. Deployand Registerthe On-Premises Site RecoveryInstance with vCenter

IMPORTANT

Do not performthe steps from this simulation in your actual lab environment.

Do not refresh, navigateaway from,or minimize the browser tab hostingthe simulation.
These actions mightpause the simulation,and the simulation mightnot progress.

Task 1: Lab Simulation

You deploy and registerthe on-premisesvSphereReplicationand Site RecoveryComponentson
your vCenter,so you can replicateworkloads runningon physicaland virtual machines.
1. In your local desktop,open a web browser.
2. Go to https://core-vmware.bravais.com/s/TFjUb4|IK5kKiycL5MI|jz2
to open the simulation.

3. After you completethe simulation,close the simulation browser tab.

1
Lab 4(Simulation)Configuring
Replicationfor a SingleVM
Objectiveand Tasks
Configurereplicationfor a singleVM:
1. Configurereplicationfor the virtual machine
2. Verify the replicationstatus
IMPORTANT

Do not performthe steps from this simulation in your actual lab environment.
Do not refresh, navigateaway from, or minimize the browser tab hostingthe simulation.
These actions mightpause the simulation,and the simulation mightnot progress.

Task 1: Lab Simulation

You configurereplicationfor a virtual machine to vCenter.

1. In your local desktop,open a web browser.

2. Go to https://core-vmware.bravais.com/s/I6Wbyl52AYFIPCYpysjh
to open the simulation.

3. After you completethe simulation,close the simulation browser tab.

13
Lab 5 ManagingResource Pools

Objectiveand Tasks
Create and use resource pools:
1. Re-configureVMs
2 Create CPU Contention

3. Create Resource Pools

4 Verify Resource Pool Functionality
5 KnowledgeCheck

Task 1: Re-configureVMs
You configurea VM to facilitate CPU contention.

1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

From the main menu, select Inventory and select the Hosts and Clusters icon.
Confirm SA-Compute-02is expanded.

15
4. Configurethe poweredoff VMs.

a. In the Navigationpane, right-clickthe Linux-CPU-01 virtual machine and select Edit

Settings.
b. On the Virtual Hardware tab, expandCPU to view more details.

c. Inthe SchedulingAffinity text box, enter O.

This affinitysettingforces the Linux-CPU-01 to run only on logicalCPU O.

Cores per Socket iv

CPU Hot Plug (CD

Enable CPU Hot Add

Reservation (e) Y
MHz ¥

Limit Unlimited Y
MHz ¥

Shares Normal ¥
v

Hardware virtualization O Exposehardware assisted virtualization to the guest OS

Performance Counters Enable virtualized CPU performancecounters

SchedulingAffinity

CAUTION

Schedulingaffinityis used here to create CPU contention for trainingpurposes. VMware

stronglydiscouragesthe use of this feature in a productionenvironment.

d. To applythese CPU configurationchange,click OK.

5. Repeatthis step for the Linux-CPU-O02,
Linux-CPU-03,Linux-CPU-04 and Linux-CPU-05 VMs.

6. After preconfiguration
i s complete,power on all the Linux-CPU-XX VMs.

16
Task 2: Create CPU Contention
You use a tool to create CPU contention in your lab environment for testing.You force the VMs
to compete for and share a singlelogicalCPU on the ESXi host, which mightlead to performance
degradation.
1. Verify that the Linux-CPU-01,Linux-CPU-02,Linux-CPU-03,Linux-CPU-04 and Linux-CPU-
O05VMs are powered on and runningon sa-esxi-O5.vclass.local.

Start the CPUBUSY scripton the VM desktops.

a. Select Linux-CPU-01 in the navigationpane.

b. From the Summarytab, select LAUNCH WEB CONSOLE.

If you are asked to choose between VMRC and Web Console,choose the web console.

Openthe Linux Terminal and run the CPUBUSY scriptlocated on the Desktop.

. /Desktop/cpubusy.pl
Thisscriptruns continuously.It stabilizes in 1 to 2 minutes. This scriptperformsfloating-
pointcomputationsrepeatedly.The scriptdisplaysthe duration (wall-clocktime)of a
computation,for example, I did ten million sines in # seconds.

Repeatsteps a throughc on the Linux-CPU-O2,

Linux-CPU-03, Linux-CPU-04 and
Linux-CPU-05 VMs.

You use the number of seconds reported as a performanceestimate. The script

CPUBUSY should run at approximatelythe same rate in each VM.
3. Leave the CPUBUSY scriptto run for 2 or more minutes so that the processes can reach
their steadystate.

17
Task 3: Create Resource Pools
You create resource poolsto delegatecontrol of a host's or acluster's resources, and to
compartmentalize
resources in a cluster. To create resource poolsin the cluster,you must firstly
enable DRS.

1. Return to the vSphereClient.

2. From the main menu, select Inventory and click the Hosts and Clusters icon.

3. Enable DRS on SA-Compute-02

a. Select the cluster SA-Compute-02.

b. Click the Configuretab.

Select vSphere DRS under the Services menu.

In the right pane, click EDIT.

e. Turn on the vSphereDRS toggle.

f. Leave all other settingsat defaults and click OK.
4. Right-clickSA-Compute-O2in the navigationpane and select New Resource Pool.

5. Assignpropertiesto the resource pool.

Option Action

Name Enter: RP-Test.

CPU Shares Select Low from the Shares drop-downmenu.

All other settings | Leave the default settings.

6. Click OK.

7. In the Navigationpane, right-clickSA-Compute-02and select New Resource Pool.

8. Assignpropertiesto the resource pool.

Option Action

Name Enter: RP-Production.

CPU Shares Select Highfrom the Shares drop-downmenu.

All other settings Leave the default settings.

9. Click OK.
10. Expandthe resource pools in the navigationpane.
18
Task 4: Verify Resource Pool Functionality
You assignVMs to resource poolswith different resource settingsto monitor and compare the
performance.
1. Select the RP-Test resource pool in the navigationpane and click the Summarytab. From
here, you can scroll down and inspectthe number of shares in the RP-Test resource pool.
Ql. What is the number of shares for this RP-Test (Low) resource pool?
2. Select the RP-Production resource pool in the navigationpane and click the Summarytab.
From here, you can scroll down and inspectthe number of shares in the RP-Production
resource pool.
Q2. What is the number of shares for this RP-Production (High)resource pool?
3. Dragthe Linux-CPU-01 VM to the RP-Production resource pool.
4. Dragthe Linux-CPU-02 to the RP-Test resource pool.
5. Switch between VM consoles to monitor the results of the CPUBUSY script.
Wait a coupleof minutes for the performanceof the VMs to change.
The contention should be evidenced the Linux-CPU-O02console by increased duration for
on
the same executions. For example,calculations mighthave taken 8 seconds before the VM
was placedin the resource pool,and now it mighttake 12 seconds because of lower shares
in the resource pool.
Q3. What is the difference in performancebetween the two virtual machines?

6. Dragthe Linux-CPU-03,Linux-CPU-04 and Linux-CPU-05 VMs to the RP-Production

resource pool.
7. Switch between VM consoles to monitor the results of the CPUBUSY script.
Wait a coupleof minutes for the performanceof the VMs to change.
In the Resource Pools, the shares are distributed in a ratio of 4:1. Amongthe VMs,4 of them
have Highshares,while 1VM has Low shares. As a result, all 4 High-share VMs should receive
comparableamounts of CPU cycles.
8. Enable Scalable Shares on SA-Compute-O2.
a. Select the cluster SA-Compute-02.
b. Click the Configuretab.
c. Select vSphere DRS under the Services menu.

d. Inthe right pane, click EDIT.

e. Select the Additional Optionstab.
f. | Select the Enable scalable shares for the resource pools on this cluster check box.
g. Click OK.

19
 Switch between VM consoles to monitor the results of the CPUBUSY script.

Wait a coupleof minutes for the performanceof theVMs to change.

The VMs within RP-Production will retain a significantlyhigherCPU priority due to the
allocation of highCPU shares in the resource pool.
10. In the vSphereClient, changethe CPU shares of the RP-Test resource pool to Normal.

a. Right-click
the resource pool RP-Test in the Navigationpane and click Edit Resource
Settings.
b. Under CPU,select Normal for the Shares settingand click OK.

c. Ineach VM console, leave the scriptto run for a few minutes and compare the
performanceof the CPUBUSY scripton each VM.
As the limited CPU reapportionedbetween the 5 VMs, a difference in
resources are
performanceis noticeable on the Linux-CPU-02 VM. For example,now, the
performanceof the VM assignedas Linux-CPU- 02 is approximatelytwice as fast as
each of the VMs labeled as 01,03, 04, and OS.The reason for this is that VM 01 has
exclusive access to 4000 shares,while the remaining4 VMs are sharinga total of8000
shares,resultingin an allocation of 2000 shares per VM.
11. Repeatthe previousstep to changeCPU shares for the RP-Production resource pool to
Normal.

It takes few seconds for the VMkernel scheduler to implementthe new share values. After
a
some time,you should observe that VM Linux-CPU-02 is runningapproximatelyfour times
faster than each of the other four VMs. This is because the shares allocated to VMs in the two
Resource Pools are the same, but there are four VMs in one RP and only one VM in the other

12. Press Ctrl+C in each Web Console window for all Linux-CPU-XX VMs to stop the CPUBUSY
script.
13. Close the Linux-CPU-01,Linux-CPU-02,Linux-CPU-03, Linux-CPU-04 and Linux-CPU-05
web consoles.

Task 5: KnowledgeCheck
You are tasked to create a resource pool and add virtual machines.

1. Create a new resource pool called: RP-Student in SA-Compute-02

2 ConfigureNormal CPU Shares for RP-Student.

3. Add Linux-CPU-02 to RP-Student.

4. Shut down Linux-CPU-01,

Linux-CPU-02,Linux-CPU-03,Linux-CPU-04 and Linux-CPU-05.
5 Disable DRS on the cluster SA-Compute-02.

Doingthis removes all the resource poolsfrom the cluster.

20
Lab 6 EnablingvCLS Retreat Mode

Objectiveand Tasks
Enable vCLS retreat mode on a vSphereluster:
1. Verify the Cluster Domain ID

2. Enable vCLS Retreat Mode and Monitor vCLS VMs

3. Revert the Changes

Task 1: Verify the Cluster Domain ID

You loginto vCenter and to verify the cluster domain ID.
1. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter Server lab credentials.
User name: [email protected]
Password: VMware1!

ON From the main menu, select Host and Clusters.

Select SA-Compute-01.
8 Select the VM tab and verify the vCLS VMs are listed.
a Record the cluster domain ID from the URL of the browser. It is the numbers following:
domain-c until the colon.

3s://sa-vesa-01 velass.local/ul/app/clusterinav=h/urn:vmomi:clustercomputeResource:d
maingoroogpr
:

cn SA-Compute-o1

Cluster Details

21
Task 2: Enable vCLS Retreat Mode and Monitor vCLS VMs
You enable retreat mode SA-Compute-01
on and monitor the vCLS VMs. Retreat mode lets you
disable the vSphereCluster Services to automaticallyremove the vCLS VMs.
1. Select sa-vcsa-01.vclass.local.
2. Inthe right pane, click the Configuretab and click Advanced Settings.
3. Click EDIT SETTINGS.

4 Add anew entry config.vcls.clusters .domain-c<number>. enabled in the

name text box.

Use the domain ID for <number> from Task 1.

5. Set the Value to False.
6. Select ADD and click Save.

f you filter for vels, you should see the advanced settingadded to your vCenter.

Advanced vCenter Server Settings

Name ® Value Y Summary

config.vcls.clusters.domain-cl006.enabled False -

7. Select SA-Compute-01.

8. Select the VM tab and monitor the vCLS VMs.

Monitor to completionusingRecent Tasks. The vCLS VMs will be powered off and deleted.

NOTE

After the retreat mode is enabled,DRS is not functional,even if it is activated, until vCLS is
reconfiguredby removingit from Retreat Mode. Also, vSphereHA does not performoptimal
placementduringa host failure scenario. HA dependson DRS for placement
recommendations. HA will still bower on the VMs but these VMs mightbe powered on in a
less optimalhost.

22
Task 3: Revert the Changes
You revert the changesmade to the cluster.

1. Select sa-vcsa-01.vclass.local.

2 n the right pane, click the Configuretab and click Advanced Settings.
3. Click EDIT SETTINGS.
4 Filter for vels to find the entry config.vcls.clusters.domain-
c<number>. enabled from Task 2.

Edit Advanced SystemSettings _ sa-esxi-04.vclass.local

[A Modifyingconfiguration
parametersis unsupported
and can cause instability.
Continue only if you know what!

Key Value

Annotations.WelcomeMessage

CBRC.DCacheMemReserved 400

Set the Value to True.

Click Save.

Monitor the cluster to see the new vCLS VMs beingdeployedand powered-on.
a. Select SA-Compute-01.

b. Select the VM tab and monitor the vCLS VMs.

Qi. What is the number of vCLS VMs deployed?

23
Lab 7 ConfiguringvSphere
Distributed Switch

Objectiveand Tasks
Create and configurea distributed switch:

1. Create a Distributed Switch

2. Add ESXi Hosts to the Distributed Switch

3. Examine Your Distributed Switch Configuration

4 MigrateVMs to Another Distributed Switch Port Group

Task 1: Create a Distributed Switch

You create a distributed switch that functions as a singlevirtual switch across all associated hosts
in your vSphereenvironment.

1. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar, and select
vSphereClient (SA-VCSA-01).
If you are not logged in from a previousactivity,log in usingthe vCenter Server lab
credentials:
User name [email protected]
Password VMware1!

2. From the main menu, select Inventory and click the Networkingicon
3. In the navigationpane, expandsa-vcsa-O1.vclass.local.
4. Right-clickSA-Datacenter and select Distributed Switch > New Distributed Switch.

The New Distributed Switch wizard appears.

5. Create a distributed switch.

a. Onthe Name and location page, enter vds—Lab in the text box and click NEXT.

b. On the Select version page, leave 8.0.0 -

ESXi 8.0 and later selected and click NEXT.

25
 On the Configuresettingspage, enter pg-SA-Production in the Port group text
box, keep all other default values,and click NEXT.

Configuresettings x
Specifynetwork offloads compatibility,
number of uplinkports,resource
allocation and default port group.

Network Offloads None v

@
compatibility
OO

Number of uplinks 4 +

Network I/O Control Enabled ¥

Default port group Create a default port group

Port group name pg-SA-Production

d. On the Readyto complete page, review the configurationsettingsand click FINISH.

In the navigationpane, expandSA-Datacenter and verify that the vds-Lab distributed switch
appears.
Configurethe pg-SA-Productionport group to use only Uplink1.
a. In the navigationpane, expandvds-Lab distributed switch.
b. Right-clickpg-SA-Productionport group and select Edit Settings.
In the Edit Settingswindow,select Teamingand failover.
Under Failover Order, move Uplink2, Uplink3 and Uplink4 down until they appear
under Unused uplinks.
You can select multipleuplinksat once and move all at the same time.

To applythese changes,click OK.

26
Task 2: Add ESXi Hosts to the Distributed Switch
You add ESXi hosts and physicaladaptersto the new distributed switch.

1. In the navigationpane, right-clickvds-Lab and select Add and Manage Hosts.

2. On the Select task page, leave Add hosts selected and click NEXT.

3. Select the check box for the hosts listed here and click OK.
sa-esxi-O1.vclass.local
sa-esxi-O2.vclass.local
sa-esxi-04.vclass.local
sa-esxi-05.vclass.local
sa-esxi-06.vclass.local
4. Click NEXT.

5. On the Managephysicaladapters page, assignvmnic3 to Uplink1.

a. In the vmnic3 row, click on the dropdown in the Assignuplinkcolumn and select Uplink1.
b. When ready,click NEXT.

6. On the ManageVMkernel adapters page, click NEXT.

7. On the MigrateVM networking page, click NEXT.

8. On the Readyto complete page, review settingsand click FINISH.

Task 3: Examine Your Distributed Switch Configuration

You examine distributed switch features,includingthe maximum transmission unit (MTU)value,
VLAN capabilities,NetFlow,and Network I/O Control.
1. In the navigationpane, select vds-Lab.

2. Inthe right pane, click the Configuretab and select Topology under Settings.
3. In the distributed switch topology diagram,expand Uplink1.
4 Verify that the vmnic3 is attached and appears under Uplink1 for ESXi hosts sa-esxi-01,sa-
esxi-O2,sa-esxi-04,sa-esxi-O5,and sa-esxi-O6.

pg-SA-Production vds-Lab-DVUplinks-6004
1(5
NIC

60000
oo v

LAN ID VGiUpiink Adapter

27
5. Click the pg-SA-Productionport group to highlightthe active uplinksfor this portgroup.

6. On the vds-Lab page, under settings,select Propertiesand verify the settings.

e Number of uplinksis 4.

Network I/O Control is Enabled.

e The MTU size is 1500 Bytes.
e The Discover Protocol Type is set to Cisco DiscoveryProtocol and operationis set to
Listen.

7. Under Settings,select each menu option to review the current configuration.

e LACP: No entries are in the main window.

e Private VLAN: No en ries are in the main window.

. etFlow: No Collector IP address is set in the main window.

Port Mirroring:No en ries are in the main window.

e Health Check: All items are set to Disabled in the main window.

8. In the navigationpane, se’

lect the pg-SA-Production
port group.
9. Inthe right pane, click the Configuretab and select Propertieson the left.

10. Verify the distributed por group settings.

e
=Port binding,i s set to Static binding.
e Port allocation,is set to Elastic.
e Number of ports, is set to 8.

Task 4: MigrateVMs to Another Distributed Switch Port Group

You move VMs from their current port groups the vds-SA-Datacenter distributed switch to
on
the pg-SA-Productionport group on the vds-Lab distributed switch.
1. Right-clickon the SA-Datacenter and select MigrateVMs to Another Network.

The MigrateVMs to Another Network wizard appears.

2. Migratethe VMs.

a. On the Select source network page, select pg-SA-Management

and click NEXT.

b. On the Select destination networks page, select pg-SA-Productionand click NEXT.

c. Onthe Select VMs to migratepage, select VMs Linux01 & LinuxO2 and click NEXT.
d. On the Readyto complete page, review settingsand click FINISH.

e. Monitor the task to completionusingRecent Tasks.

28
3. Verify your distributed switch configuration.
a. In the navigationpane, select vds-Lab and click Hosts in the right pane.

b. Verify that sa-esxi-O1,sa-esxi-O2,sa-esxi-04,sa-esxi-O5,and sa-esxi-06 are connected

to the distributed switch.

The state of the ESXi hosts should be Connected.

Click VMs and verify that the Linux01 and Linux02 VMs are listed.

If the VMs are listed,they reside on the new distributed switch.

Click Ports and verify that pg-SA-Productionis listed in the Port Groupcolumn.

@ Verify that an uplinkport group is listed which you previouslymappedbetween vmnic3

and Uplink1.

You can click the Connectee column to filter.

@ vds-Lab | actions
Summary Monitor Configure Permissions Ports Hosts. «=«
VMs_-—sNetworks

Runtime MAC
Address | Y State | VLANID a

»| 8
Uplink 1 ab-DVUplinks-6004 Link Up

» | 2 uplink

» | 20 Jplink

Click the Hosts and Clusters icon from the inventory.

Log in to the Linux0O1web console.
a. n the navigationpane, click Linux01 under SA-Datacenter > SA-Compute-02.
b. n the right pane, click LAUNCH WEB CONSOLE.

Cc. Click the Linux01 web console tab in the browser and click in the window to capture
keyboardinput.
d. Log in by enteringuser name root and passwordVMwarel1!
At the command prompt, ping172.20.10.2 (the domain controller’s
IP address)to verify that
the VM has full network connectivity.

ping -c 3 172.20.10.2
If the ping command is successful,
continue to Step 9.

29
8. If the ping command is unsuccessful,
restart the networkingin the VM.

a. Enter the command to ensure that your VM has a valid DHCP-assigned

IP address.

service network restart

b. Repeatsteps 6 and 7.
9. Close the VM Linux01 web console tab.

30
Lab 8 Managing
vSphereDistributed
Switches

Objectiveand Tasks
Use the vSphereClient to create and maintain a vSphereDistributed Switch (VDS)at the data
center level:

1. Adda New Port Groupto VDS

WN Enable the VDS Health Check

Investigatethe VDS Health Check Status

KR Remediate the VDS Issue

OM Deactivate the VDS Health Check Service

Oo Back Up the VDS Configuration
Nn KnowledgeCheck

31
Task 1: Add a New Port Groupto VDS
You add a port group to the vds-Lab vSpheredistributed switch.
1. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser, and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. Onthe loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

WN From the main menu, select Inventory and click the Networking icon.
Right-clickvds-Lab and select Distributed Port Group> New Distributed Port Group.
8 On the Name and location page, enter pg-SA-Testing in the text box and click NEXT.

ao On the Configuresettingspage, select VLAN under VLAN type from the drop-downmenu,
enter 10 for the VLAN number,and click NEXT.

6. On the Readyto completepage, review the information about your new VDS port group
and click FINISH.

Task 2: Enable the VDS Health Check

You enable the VDS health check service on the vds-Lab vSpheredistributed switch to verify its
configurationfor errors or mismatches.

aa
1. In the navigationpane, select vds-Lab.

WN Select the Configuretab

Click EDIT in the
and select Health Check under

top-rightcorner.
Settings.

fF Under VLAN and MTU, select Enabled from the State drop-downmenu.
Under Teamingand failover, select Enabled from the State drop-downmenu.

Click OK.

NOTE

After the health check is enabled, the VDS health check beginstestingfor selected
configurationoptions(VLAN and MTU, Teamingand Failover,or both) by creatingmany
fictitious MAC addresses. These MAC addresses continue to be created and sent through
the vSphereand physicalnetworks as longas the VDS health check is enabled.

32
Task 3: Investigatethe VDS Health Check Status
You check for results from the VDS health check service.

The health check can take some time.

1. Select vds-Lab in the navigationpane.

2. Select the Monitor tab and select Health in the Monitor page menu.

3. Observe the Host Name list in the rightpane.

This list should compriseall hosts that were added to vSphereDistributed Switch.
This list continuouslyupdateswith health check results while the health check service is
enabled.

4. Highlighta host listing,where a warningappears, to view the additional information displayed

below it.

VLAN is the default tab under Health status details. To check MTU or other settings,you
must click the individual tabs.

When you set a VLAN in task 1,we didn't configurethe physicalenvironment to match.

Task 4: Remediate the VDS Issue

You fix the incorrect VLAN configuredon your new port group that you confirmed throughthe
VDS health check.

1. Confirm vds-Lab is expanded.

2. Right-clickthe pg-SA-Testingport group and select Edit settings.
3. Onthe VLAN page, select None for the VLAN type drop-down.
SelectingNone for this value removes any previouslyappliedVLAN tags on the pg-SA-
Testingport group.
NOTE

VMkernel port configurationis managedindependently.However, VDS port group

configurationcan affect VMkernel port configuration.

4. Toapply the VLAN change,click OK.

5. Verify your change.
a. Select vds-Lab in the navigationpane.
b. Select the Monitor tab and select Health to verify that VLAN Health Status has changed
and now indicates Normal.

33
Task 5: Deactivate the VDS Health Check Service
You deactivate the VDS health check service on the vds-Lab vSpheredistributed switch.

Deactivatingthe VDS health check service is importantbecause of the many fictitious MAC
addresses generatedat one-minute intervals to facilitate troubleshootingefforts in the network
infrastructure. The environment needs time for those MAC addresses to time out of the
infrastructure,accordingto the network policy after the VDS health check is deactivated.
1. In the navigationpane, select vds-Lab.

WN Select the

Click EDIT.
Configuretab and select Health Check under Settings.

fF Under VLAN and MTU, select Disabled from the State drop-downmenu.
a Under Teamingand failover, select Disabled from the State drop-downmenu.
a Click OK.

Task 6: Back Up the VDS Configuration

You back up the configurationfor the vds-Lab vSpheredistributed switch.

1. In the navigationpane, right-clickvds-Lab and select Settings> Export Configuration.

2. In the Export Configuration
dialogbox, leave Distributed switch and all port groups
selected and click OK.

Save the distributed switch configurationto the desktopwith the filename vds-Lab-
backup. zip.

Task 7: KnowledgeCheck
You are tasked to create and configurea vSphereDistributed Switch.

1. Create a new distributed switch called: vds-Student

2. Create a new port group called: pg-SA-Test
3. Add sa-esxi-04.vclass.local to vds-Student and assignvmnic4 to Uplink1.

34
Lab 9 UsingPort Mirroring
Objectiveand Tasks
Configureport mirroringand capture network traffic on a distributed switch:

1. Prepareto Cap ure Mirrored Network Traffic

2 ConfigurePort Mirroringon the Distributed Switch
3. Verify That Por MirroringIs CapturingTraffic
4 Restore the Dis ributed Switch Configuration

Task 1: Prepareto CaptureMirrored Network Traffic

You use the LinuxO VM to capture and monitor mirrored traffic.

1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]
Password: VMware1!

2. From the main menu, select Inventory and click the Hosts and Clusters icon.

3. In the navigationpane, expand SA-Datacenter and select SA-Compute-02.

4. In the navigationpane, select the Linux01 VM.
The Linux01 VM will be used as the Port Mirroringdestination.
5. In the right pane, click Summaryand click LAUNCH WEB CONSOLE.

6. If not alreadyloggedin, click in the window to capturekeyboardinput.

a. Login by enteringuser root with passwordVMwarel1!

35
 In the LinuxO1web console,enter the tcpdump command at the command prompt.
tcpdump -nn icmp
This command line is used to monitor ICMP network traffic.
[root@localhost ~1]# tcpdump -nn icmp
tcpdump: verbose output suppressed, use -v or -vyv for full protocol decode
listening on eth@, link-type EN16MB (Ethernet), capture size 96 bytes

Monitor the command output for a few seconds and verify that ICMP traffic is not being
captured.
The tcpdump output does not have any information to displayuntil ICMP traffic detects
pingpacketsarrivingon the VM's vNIC.

Leave the console window open with the tcpdump command runninguninterrupted.
Return to the vSphereClient tab.
In the navigationpane, select the Linux02 VM.

In the right pane, click Summaryand click LAUNCH WEB CONSOLE.

Click the LinuxO2 Web Console tab in the browser and click in the window to capture
keyboardinput.
a. Login by enteringuser root with passwordVMwarel1!
The LinuxO2 VM is used as the traffic source to be mirrored.

14. At the LinuxO2 command prompt,enter the ping command.

ping 172.20.10.2
This command pingsthe default router IP address.

15. If the ping command does not work, enter the followingcommand to restart network
services and then repeat step 14.
service network restart

16. After the ping command beginsto work, click the Linux01 console tab.

17. In the LinuxO1console window,verify that the runningtcpdump command output remains
silent and did not capture any ICMP traffic.

36
Task 2: ConfigurePort Mirroringon the Distributed Switch
You configureport mirroringso that the port connected to the LinuxO2 VM is the mirror source
and the port connected to the Linux01 VM is the mirror destination.
All the traffic present on the LinuxO2 port is forwarded to the Linux01 port for examination.
IMPORTANT

Ensure that the Linux01 and Linux02 VMs both reside on sa-esxi-06.vclass.local. Duringa
previouslab, DRS may have placedeither VM on another ESXi. If so, proceedto Migratethe
VM back to sa-esxi-06.vclass.local.

Open thevSphereClient tab.

WN From themain menu, select

Select vds-Lab.
Inventory and click the Networking icon.

8 In the right pane, click Configureand select Port Mirroringon the left.
a Add a port mirroringsession.
a. On the Port Mirroringpanel,click NEW.
The Add Port MirroringSession wizard appears.

b. On the Select session type page, leave Distributed Port Mirroringselected and click
NEXT.

When you select this session type, distributed ports can only be local. If the source and
destination ports are on different hosts, port mirroringdoes not work between them.

c. On the Edit propertiespage, configurethe port mirroringsession.

i. From the Status drop-downmenu, select Enabled.
ii. | From the Normal I/O on destination ports drop-downmenu, select Allowed and
click NEXT.

37
 d. On the Select sources page, configurethe port mirroringsource.
i. Onthe All ports tabs, select the check box for LinuxO2 below Connected Entity.
All ports Selected ports (1)

SELECT ALL CLEAR SELECTION

LO portio
Y | Port
Name
Y
Host
Y | Connected
Entity
y | Runtime
Address
MAC Y
Port Group Name

class.local () LinuxO1 00:50:5

ff] sa-esxi-O6.vclass.local ) LinuxO2 00:50:56:b7:c0:7d

ii, Click NEXT.

e. On the Select destinations page, configurethe port mirroringdestination.
i. Onthe All ports tabs, select the check box for LinuxO1 below Connected Entity.
ii, Click NEXT.

f. Onthe Readyto completepage, review the configurationand click FINISH.

g. Monitor to completionusingRecent Tasks.

Task 3: Verify That Port MirroringIs CapturingTraffic

Withport mirroringconfigured,you view the tcpdump command output and verify that any
ICMP traffic appearingon the LinuxO2 port is duplicatedon the Linux01 port.

1. Return to the LinuxO2 console tab.

2. Verify that the ping command is still reachingthe default router IP address.

3. Go to the Linux01 console tab.

4. In the Linux01 console, examine the tcpdump output in the terminal window.

The output looks similar to the followingscreenshot.

12:13:54.713364 IP 172.286.186.117 >
[email protected]: ICMP echo request, id 39785, seq
67, length 64
2:13:54.713661 IP 172.20.18.2 > 172.28.18.117: ICMP echo reply, id 39785, seq 6
length 64
12:13:55.713772 IP 172.26.18.117? >
172.28.18.2: ICMP echo request, id 39705, seq
68, length 64

5. Record the local address that appears in the capturedtraffic.

The local address beginswith 172.20.10.

38
6. In the LinuxO1console window,press Ctrl+C to stop the tcpdump command.
a. If pressingCtrl+C does not work, click anywhereinside the command prompt and
repeat.
7. Click the Linux02 console tab.

8. In the Linux02 console window, press Ctrl+C to stop the ping command.
9. At the LinuxO2 command prompt,use if config to examine the IP configuration.
ifconfig
10. Use the command output to verify that the LinuxO2 IP address matches the address that
you recorded in step 5.
11. Close the Linux01 and Linux02 console tabs.

12. Shut down Linux01 and LinuxO2.

a. From the main menu of the vSphereClient,select Inventory and click the Hosts and
Clusters icon.

b. In the navigationpane, click SA-Compute-O2and select the VM tab.

c. Click the check box for Linux01 and Linux02.

d. Right-clickthe highlightedVMs and select Power > Shut Down Guest OS.

e. In the pop-up window,click Yes to confirm the shutdown operation.

Task 4: Restore the Distributed Switch Configuration

You restore the vSpheredistributed switch (vds-Lab)configuration
to reset changesmade since
the configurationwas saved.

1. From the main menu, select Inventory and click the Networkingicon.
2. Inthe navigationpane, right-clickvds-Lab and select Settings> Restore Configuration.
The Restore Configuration
wizard appears.

3. On the Restore switch configurationpage, click BROWSE,select the file /Desktop/vds-

Lab-backup. zip, and click Open.
4. Leave Restore distributed switch and all port groups selected and click NEXT.
5. On the Readyto completepage, review the settingsand click FINISH.
f you lose connection to the vSphereClient,restart Firefox.

39
 After the switch configurationis restored, verify the configuration.
View the port mirroring
configurationand verify that the vds-Lab has no sessions configured.
a. In the navigationpane, click vds-Lab and select the Configuretab.
b. In the middle pane, select Port Mirroringunder Settings.
The port mirroringconfigurationwas removed by the VDS restore operation.
If the switch configurationdid not restore properly,repeat previoussteps1 through5.

40
Lab 10Viewinga vSAN Datastore
Configuration
Objectiveand Tasks
View a vSAN datastore configurationand a virtual machine's componentson the vSAN
datastore:

1. View a vSAN Datastore Configuration

2. View the vSAN Default StoragePolicy

3. View a Virtual Machine on the vSAN Datastore

Task 1: View a vSAN Datastore Configuration

You view existingvVSANdatastore configurationin the SA-Compute-O2
an cluster to familiarize
yourselfwith where to find vSAN information in the vSphereClient.
1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphereClient (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

41
 Verify that vSAN is activated on the SA-Compute-O2
cluster.

From the main menu, select Inventory and click the Hosts and Clusters icon.

In the navigationpane, expandSA-Datacenter and select SA-Compute-0O2.

In the right pane, click the Configuretab.
Under Configuration,
select Quickstart.
e. Verify that VSAN appears as one of the selected services.

View the ESXi hosts that belongto the vSAN cluster.

a. In the rightpane, click the Summarytab.

b. Scroll down to the Cluster Resources tile to view the number of hosts in the vSAN
cluster.

c. Click the Hosts tab to view the names of the ESXi hosts in the cluster.
View the disk group configurationon the hosts in the vSAN cluster.

a. n the rightpane, click the Configuretab.

b. Under vSAN, select Disk Management.

(0) SA-Compute-0O2: actions |

SummaryMonitor Configure
Pern

VM Overrides
vSphere
/O Filters
> DRS Autor
Host Options

Host Profile ns

Licensing v > Power Man,

vSAN Cluster
Advanced
Trust Authority
Alarm Definitions

Scheduled Tasks

vSphere Cluster Services v

Datastores

vSAN

Services

Disk Management

Fault Domains

Remote Datastores

42
 For the first ESXi host in the list,select VIEW DISKS and expandthe Disk group to view
its details.
Information about the disk group appears in the lower pane.

Ql. How many storage devices are in this disk group?

Q2. What are the drive types?

Q3. What tier does each drive belongto?

View the disk groups for the other ESXi hosts.
Select the drop-downnext to SA-ESXI-04.VCLASS.LOCAL on the middle pane to
navigatebetween hosts.
The number of storage devices,drive types, and tier assignments
are the same as the
first host.

View the VMkernel adapterconfigurationthat is used to access the vSAN network.

In the navigationpane, select sa-esxi-04.vclass.local.

Click the Configuretab.
Under Networking,select VMkernel adapters.

In the VMkernel adapterslist,expandvmk1 to view its details.

Click the Propertiestab for vmk1.

Verify that vSAN appears as an Enabled service.
View storage capacityinformation for the vSAN cluster.
a. In the navigationpane, select SA-Compute-02.
b. In the rightpane, click the Summarytab.
Scroll down and review the information about vSAN.

This VSAN Capacitytile shows current storage capacityused.

For vSAN Usage,click VIEW CAPACITY on the vSAN Capacitytile.

The Monitor tab appears, and the vSAN > Capacity> CapacityOverview pane shows
used space and free space in the vSAN cluster.

43
Task 2: View the vSAN Default StoragePolicy
You view information about the vSAN Default StoragePolicy,and you estimate the usable
storage capacityof this policy.
1. From the main menu, select Policies and Profiles.

2 In the navigationpane, verify VM Storage Policies is selected.

3. In the rightpane, scroll down the list of policiesand select vVSANDefault StoragePolicy.
4 In the Rules tab, view the rule set for this storage policy.
This storage policy uses RAID 1 (mirroring).
Estimate the usable storage capacityof the vSAN default storage policy.
a. From the main menu, select Inventory and click the Storage icon.
b. In the navigationpane, expandsa-vcsa-01.vclass.local and expandSA-Datacenter.
c. Inthe navigationpane under SA-Datacenter,select vsanDatastore.
fom = he right pane, click the Monitor tab.
e. Under vSAN, select Capacity.
Confirm the CAPACITY USAGE tab is selected and review the CapacityOverview and
What if analysispanes. From here, you can estimate the effective free space available
on the vSAN datastore if you deploy a VM with the specifiedstorage policy.The policy
selected is vSAN Default Storage Policy.

Ql. Why is the policy'seffective free space the value that it is?

Task 3: View a Virtual Machine on the vSAN Datastore

You confirm virtual machine is located on the vSAN datastore, and you familiarize
a yourselfwith
the vSAN componentsthat make up the VM.
1. Verify that vsanDatastore is selected in the navigationpane.
2. In the right pane, click the VMs tab.

A virtual machine named Photon-03 appears in the list.

Click Photon-03.

Verify that the VMs and Templatesview appears and Photon-03 is selected in the navigation
pane.
View the vSAN componentsthat make up the Photon-O3 virtual machine.
a.__In the rightpane, click the Monitor tab.
b. Under vSAN, select Physicaldisk placement.
c. Review the virtual machine's objectsand the componentsfor each object.

44
Lab 11 UsingPolicy-Based
Storage
Objectiveand Tasks
Use policy-basedstorage to create tiered storage for VMFS datastore without a VASA provider:

1. Add Datastores for Use by Policy-BasedStorage

2 Use vSphereStoragevMotion to Migratea VMs Storage

3 ConfigureStorageTags
4. Create VM StoragePolicies
5 AssignStoragePolicies to VMs

Task 1: Add Datastores for Use by Policy-BasedStorage

You create two small datastores,as simpletiered storage, for use by your vCenter instance.
1. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphereClient (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!
2. From the main menu, select Inventory and click the Storage icon.

45
 Create a datastore named ds-gold.

a. In the navigationpane, right-clickSA-Datacenter and select Storage > New Datastore.

The New Datastore wizard appears.

On the Type page, leave VMFS selected and click NEXT.

On the Name and device selection page, enter ds-gold in the Name text box.

From the Select a host drop-downmenu, select ESXi host sa-esxi-04.vclass.local.

From the LUN list, select LUN 7 with the entry descriptionFreeNAS ISCSI Disk (naa..)
and capacity8.00 GB,and click NEXT.

Local drives are labeled as Local VMware Disk. Do not select these drives.

On the VMFS version page, leave VMFS 6 selected and click NEXT.

On the Partition configurationpage, keep the default values and click NEXT.
On the Readyto completepage, review settingsand click FINISH.

In the Recent Tasks pane, verify that the task was completed.
j. Verify that the datastore ds-goldappears in the navigationpane.
Create a datastore named ds-silver.

a. In the navigationpane, right-clickSA-Datacenter and select Storage > New Datastore.

The New Datastore wizard appears.

On the Type page, leave VMFS selected and click NEXT.

On the Name and device selection page, enter ds-silver in the Name text box.

From the Select a host drop-downmenu, select ESXi host sa-esxi-04.vclass.local.

From the LUN list, select LUN 8 with the entry descriptionFreeNAS ISCSI Disk (naa..)
and capacity12.00 GB,and click NEXT.

Local drives are labeled as Local VMware Disk. Do not select these drives.

On the VMFS version page, leave VMFS 6 selected and click NEXT.

On the Partition configurationpage, keep the default values and click NEXT.

On the Readyto completepage, review settingsand click FINISH.

In the Recent Tasks pane, verify that the task was completed.
Verify that the datastore ds-silver appears in the navigationpane.

46
Task 2: Use vSphereStoragevMotion to Migratea VMs Storage
You use vSphereStoragevMotion to migratethe Photon-01 VM to the ds-golddatastore.
1. From the main menu, select Inventory and click the Hosts and Clusters icon

2. Inthe navigationpane, right-clickPhoton-01 and select Migrate.

The Migratewizard appears.

3. On the Select a migrationtype page, click Changestorage only and click NEXT.
4. On the Select storage page, select the datastore ds-gold, leave all other settingswith their
default values,and click NEXT.

5. On the Readyto completepage, click FINISH.

6. In the Recent Tasks pane, monitor the migrationtask to completion.

7. Verify that the migrationwas successful.

You mightneed to refresh the vSphereClient to see that the migrationis complete.
a. In the navigationpane, select Photon-01.

b. In the right pane, click the Datastores tab and verify that the ds-golddatastore is listed.

Task 3: ConfigureStorageTags
You create thetags necessary to implementsimpletiering.

The StorageTiers tag category contains the Gold and Silver identifier tags associated with
individual datastores.

1... From the main menu, select Tags & Custom Attributes.
2. Click the Tags tab.

3. Configureanew tag category and the Gold Tier identifier tag.

a. Click NEW.
b. In the Name text box, enter Gold Tier.
c. Click the Create New Category.
A dialogbox appears that includes tag and category configurationoptions.
Categoriescan be created only as part of the identifier tag creation process.
d. Inthe Category Name text box, enter Storage Tiers.
e. For the Associable ObjectTypes,deselect the All objectscheck box.
f. Select the Datastore check box and click CREATE..

g. Inthe Create Tagdialogbox, click CREATE.

47
 Create a Silver Tier identifier tag.
a. Click NEW.
b. In the Name text box, enter Silver Tier.
c. Inthe Categorydrop-downmenu, select Storage Tiers and click CREATE.

Assign the Gold Tier tag to the ds-golddatastore.

a. From the main menu, select Inventory and click the Storageicon.
b. navigaion pane, right-clickds-goldand select Tags&
In the Custom Attributes >

AssignTag.
c. Select the Gold Tier check box and click ASSIGN.
d._ In the navigaion pane, select ds-gold.
e. IntheTagstile on the Summarytab, verify that the Gold Tier tag is associated with the
ds-golddatastore.
Assign theSilver Tier tag to the ds-silver datastore.
a. Inthe navigaion pane, right-clickthe ds-silver datastore and select Tags &Custom
Attributes > AssignTag.

b. Select the SiIver Tier check box and click ASSIGN.

c. Inthe navigaion pane, select the datastore ds-silver.

d. Under Tags on the Summarytab, verify that the Silver Tier tag is associated with the ds-
silver datastore.

Task 4: Create VM StoragePolicies

You assignstorage policiesto VMs, and you specifythe configurationsettingsto be enforced.
1. From the main menu, select Policies and Profiles.

2. Verify that VM Storage Policies is selected in the navigationpane.

3. Create a Gold Tier storage policy.
a. Inthe VM StoragePolicies page, click CREATE.

The Create VM StoragePolicywizard appears.

b. On the Name and descriptionpage, enter Gold Tier Policy in the Name text box
and click NEXT.
c. On the Policystructure page, and under "Datastore specificrules" ,
select Enable tag
based placementrules check box and click NEXT.
d. On the Tag based placementpage, select Storage Tiers from the Tag category drop-
down menu.

48
 e. Click BROWSE TAGS,select Gold Tier, click OK,and click NEXT.

f. Onthe Storagecompatibilitypage, verify that the datastore ds-goldis listed under

Compatiblestorage and click NEXT.
g. On the Review and finish page, click FINISH.

4. Repeat3 steps to create Silver Tier Policyby usingthe Silver Tier tag.
5. Verify that Gold Tier Policyand Silver Tier Policyare entries in the Name column.

If the entries cannot be found, repeat steps to add the entries.

Task 5: AssignStoragePolicies to VMs

You assignthe Gold and Silver storage policiesto individual VMs and you mitigatecompliance
issues.

A storage policycan be assignedto a VM while the VM is powered on or powered off.

1. From the main menu, select Inventory and click the Hosts and Clusters icon

2. In the navigationpane, expandSA-Datacenter and the cluster SA-Compute-02.

3. Apply the Gold Tier storage policy to the Photon-01 VM.
a. Right-clickPhoton-01 and select VM Policies > Edit VM Storage Policies.

b. On the Edit VMStoragePolicies page, select Gold Tier Policyfrom the VM storage
policy drop-downmenu and click OK.
4. Verify that Gold Tier Policywas successfully
appliedto Photon-01.
a. In the navigationpane, select Photon-01.
b. In the right pane, click the Summarytab.
c. Scroll down to the Storage Policies tile, if necessary.
d. Verify that Gold Tier Policyappears and that Photon-01 is compliant.

The Photon-01 VM is compliantbecause it was alreadymoved to a policy-appropriate

datastore.

StoragePolicies

VM Storage Policies
Gold Tier Policy

VM Storage Policy
‘Compliance
v Compliant

Last Checked Date

7/26/2022, 10:24:34 AM

\M ReplicationGroups
CHECK COMPLIANCE

49
 Apply the Silver Tier storage policyto the Photon-02 VM.

a. In the navigationpane, right-clickPhoton-O2 and select VM Policies > Edit VM Storage

Policies.
b. StoragePolicies page, select Silver Tier Policy from
On the Edit VM the VM storage
policydrop-downmenu and click OK.
Verify that Silver Tier Policywas appliedto Photon-O2 but is displayedas Noncompliant.
a. In the navigationpane, select Photon-02.
b. In the right pane, click the Summarytab.
c. View the VM StoragePolicies tile, verify that Silver Tier Policyappears and that Photon-
Q2 is not compliant.

The Photon-02 VM is Noncompliantbecause its data is stored on a datastore that is not

tagged as a part of the assignedpolicy.
StoragePolicies

VM Storage Policies
Silver Tier Policy
VM Storage Policy
Compliance
® Noncompliant

Last Checked Date

7/26/2022, 10:24:05 AM

VM Replication
Groups
CHECK COMPLIANCE

Remediate the complianceissue for Photon-O2.

a. In the navigationpane, right-clickPhoton-O2 and select Migrate.

The Migratewizard appears.
b. On the Select a migrationtype page, click Changestorage only and click NEXT.
c. Onthe Select storage page, select datastore ds-silver.

With storage policyassignedto the Photon-02 VM, datastores

a VM are listed as either
Compatibleor Incompatible.
d. Click NEXT.

e. On the Readyto completepage, review the migrationdetails and click FINISH.

f. In the Recent Tasks pane, monitor the migrationtask to completion.
The migrationmust completesuccessfully.

50
8. Verify that Photon-O2 is reportedas compliant.
a. In the right pane, verify that the status in the VM StoragePolicies tile is Compliant.
b. If the status is Noncompliant,
click Check Compliancein the VM StoragePolicies tile.
c. Verify that the status changesto Compliant.

51
Lab 12 CreatingvSAN Storage
Policies

Objectiveand Tasks
Create and review vSAN storage policies:
1. Examine the Default StoragePolicy
2 Create a Custom Policywith No Failure Tolerance

3. Assignthe Custom Policyto a VM

4 Make the VM Compliant

Task 1: Examine the Default StoragePolicy

You examine the vSAN Default StoragePolicy.
A VSAN datastore has been preconfiguredfor you.
1. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

WN From the main menu, select Policies and Profiles.

Verify that VM Storage Policies is selected in the navigationpane.

8 In the right pane, select vSAN Default Storage Policy and click EDIT.
oa On the Name and descriptionpage, click NEXT.

53
6. On the vSAN page, examine the rules under the Availability, StorageRules,Advanced
Policy Rules,and Tagstabs.
Ql. How many failures can be tolerated?

7. Click CANCEL.

Task 2: Create a Custom Policywith No Failure Tolerance

You create a custom vSAN storage policy that does not provide failure tolerance.
1. In the rightpane, click CREATE.
2. On the Name and descriptionpage, enter vVSAN-VM-Custom-Policy-FTTOin the
Name text box and click NEXT.

On the Policystructure page, and under Datastore specificrules,select Enable rules for
storage check box and click NEXT.
“vSAN―

On the vSAN page Availabilitytab under Failures to tolerate, select No data redundancy
from the drop-downmenu.

View the consumed storage space information below the drop-downmenu.

vSAN

ailabiity Storage rules Advanced PolicyRules Tags

Site disaster tolerance @ None

-standard cluster

Failures to tolerate © No
data redundancy

Ql. Why is the storage space size equalto the VM size?

To completethe vSAN page, click NEXT.

On the Storagecompatibilitypage, click NEXT.

Onlythe vsanDatastore is listed under Compatiblestorage.

On the Review and finish page, click FINISH.

Verify that the VSAN-VM-Custom-Policy-FTTO

storage policyis created and appears in the
list.

You mightneed to scroll throughthe VM StoragePolicies list.

54
Task 3: Assignthe Custom Policyto a VM

You create a second VM and apply your new vSAN storage policy.

1. From the main menu, select Inventory and click the Hosts and Clusters icon.

2. Clone a VM from Photon-01.

a. In the navigationpane, right-clickPhoton-01 and select Clone > Clone to Virtual

Machine.

On the Select a name and folder page, enter Payload-02 in the Virtual machine
name text box, select Lab VMs for the location and click NEXT.

On the Select a compute resource page, expandSA-Datacenter and SA-Compute-0O2,

select sa-esxi-05.vclass.local,and click NEXT.

You may see a compatibilitywarningfor the ESXi host. This warningcan be safely
ignored.
On the Select storage page, select Datastore Default from the VM Storage Policy
drop-downmenu.
Select OPSCALE-Datastore from the datastore list and click NEXT.

On the Select clone optionspage, select only Power on virtual machine after creation
and click NEXT.
Select clone options
Select further clone options
i) Customize the operating system

(CD
Customize this virtual machine's hardware

Power on virtual machine after creation

On the Readyto completepage, click FINISH.

Monitor the Recent Tasks pane to verify that the Clone virtual machine task completes
successfully.
Verify that your new VM is listed in the navigationpane and is poweredon.
If you do not see the VM listed and powered on, click the Refresh icon.

55
 Assignthe vSAN-VM-Custom-Policy-FTTO
storage policyto Payload-O2.
a. In the navigationpane, right-clickPayload-02and select VM Policies > Edit VM Storage
Policies.
b. Select vVSAN-VM-Custom-Policy-FTTO
from the VM storage policy drop-downmenu.
Ql. Why do the VM home and Hard disk 1 objectshave warningicons?
c. Click OK.
d. Monitor the Recent Tasks pane to verify that the Reconfigurevirtual machine task
completessuccessfully.
In the navigationpane, select Payload-02.

On the Summarytab, review the Related Objectstile and the VM StoragePolicies tile.

You mightneed to scroll down in the right pane to see these tiles.

Q2. On which datastore is the VM located?

Q3. Which storage policy is the VM using?

Q4. Is the VM compliantwith its storage policy?

Task 4: Make the VM Compliant

You migrate the Payload-O2VM from the shared VMFS datastore to the vSAN datastore to
make it compliantwith its storage policy.

1. Migrate the Payload-02VM to the vSAN datastore to ensure its compliance.

a. In the navigationpane, right-clickPayload-O2and select Migrate.

b. On the Select a migrationtype page, click Changestorage only and click NEXT.

c. On the Select Storagepage, leave Keep existingVM storage policiesselected in the

VM StoragePolicydrop-downmenu.
d. Inthe datastore list,select vsanDatastore and click NEXT.

e. On the Readyto completepage, click FINISH.

f. Monitor the Recent Tasks pane until the task completessuccessfully.
In the right pane, view the VM StoragePolicies tile and click Check Compliance.
The compliancestatus mighthave been refreshed automaticallyby the vSphereClient. If so,
clickingCheck Complianceis not required.
Verify that the compliancestatus of Payload-O2changesto Compliant.
In the navigationpane, right-clickPayload-O2and select Power > Power Off.

56
Lab 13 BackingUp vCenter Appliance
Objectiveand Tasks
Access the vCenter Server ApplianceManagement
Interface and create a backupof vCenter
Appliance.
1... BackupvCenter Appliance

Task 1: BackupvCenter Appliance

You access vCenter VAMI and backupthe Appliance.

1. Login to the vCenter VAMI on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vCenter ApplianceManagement(SA-VCSA-01).
c. Onthe VAMI loginpage, enter the vCenter root credentials.

User name: root

Password: VMware1!

You should see sa-vcsa-01.vclass.local in the Summarypage.

57
 Backupthe vCenter Appliance.
a. In the navigationmenu, select Backup.

b. Select BACKUP NOW.

c. Assignpropertiesto the backupconfiguration.

Option Action

BackupLocation Enter:nfs://172.20.10.15/mnt/NFS-POOL
User name Enter: root

Password Enter: VMwarel1!

Data Uncheck Stats, Events and Tasks

d. Select START and monitor the task to completion.

e. Verify the backupfile is created and stored in the Activity window.

3. Close the vCenter VAMI browser tab.

58
Lab 14 UsingvSphereConfiguration
Profiles

Objectiveand Tasks
Transition a cluster from usingbaselines to usingimagesand use vSphereconfigurationprofilesto
manage all the hosts in the cluster:

1... Configurea Cluster with a SingleImage

2. Configurea Cluster with vSphereConfigurationProfiles
3. Remediate the Hosts in a Cluster
4 View the ConfigurationDocument

Task 1: Configurea Cluster with a SingleImage

You configurea cluster to use a singleimageto manage the updatesof all ESXi hosts in the
cluster.

1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

59
2. View the current configurationstatus of the cluster.
a. In the left navigationpane, select SA-Compute-01.

b. In the right pane, click the Configuretab.

Cc. Select Configurationunder Desired State.
() | : actions
SA-Compute-O1
Summary Mjonitor Configure Permissions Hosts VMs ~—Datastores_ Networks Updates

VMware EVC
VM/Host Grotups Manageconfigurationat cluster level
using
\VM/HostRules
VM Overrides
Managing the configurationat cluster level vSphereConfiguration Profiles, ensures that all hosts in the cluster have the same settings,and eliminates the need
for configuringthe hosts manually,which enables smooth and easy operation at scale
voriters
Host Options
To create a cluster-level configuration, you have to set up an image for the cluster first.
siost Protie

Licensing
VSAN Cluster
’

Trust Authority

Alarm Definitions

Scheduled Tasks

vSphere Cluste r Services V

Datastores

VSAN

Services

Desired State

The cluster is currentlymanagedwith baselines.

3. Configurethe cluster to use a singleimage.

a. In the right pane, click the Updatestab.
b. Read any warningand information messages and click MANAGE WITH A SINGLE
IMAGE.

Click SETUP IMAGE.

From the ESXi Version drop-downmenu, select 8.0 U1 21495797. -

Click VALIDATE.

The imageis valid.

Click SAVE and wait for the Check ImageCompliance

task to complete.
Click FINISH IMAGE SETUP.

Read the message and click YES,FINISH IMAGE SETUP.

Monitor the Recent Tasks pane.

Several tasks are started. Savingthe changesto the imageautomaticallystarts the

Check complianceof cluster with imagetask.

60
 Verify that the hosts in the cluster are compliant.
(1)SA-Compute-O1 : actions _
Summary Monitor Configure Permissions Hosts. +=
VMs_—Datastores. Networks Updates

Hosts
Image
v
corr

REE cis custer ae managedcollectively.This image below wil be appledto all host in ths cluster

Hardware Compatibility

VMware Tools
ESXI Version 8.0 U1- 21495797

Vendor Addon ©) None

VM Hardware
Firmware and Drivers Addon @ None

Components No additional components Show details

\ Image compatibility
hardware is not verified in non-vSAN clusters. See details

ImageCompliance creck conpuance

[=]

Task 2: Configurea Cluster with vSphereConfigurationProfiles

You configurea cluster to use a singleconfigurationprofileto manage the configurationof all
ESXi hosts in the cluster.

1. In the right pane of the vSphereClient,click the Configuretab for SA-Compute-01.

2. Select Configurationunder Desired State.
Convert the cluster to use vSphereConfigurationProfiles.
a. Click CREATE CONFIGURATION.

b. In the Create configurationstep, click IMPORT FROM REFERENCE HOST.

c. Select sa-esxi-01.vclass.local and click IMPORT.

d. Click CLOSE to close the wizard and select NEXT.

e. Inthe Validate configurationstep, wait until the validation completesand click NEXT.

f. In the Pre-check and apply step, wait until the pre-checkcompletesand click FINISH
AND APPLY.

g. Click CONTINUE.

Click GO TO CONFIGURATION.

61
Task 3: Remediate the Hosts in a Cluster
You reconfigurea host and remediate it to be compliantwith the cluster configurationprofile.
1. Add a VMkernel to your ESXi host.

a. In the left navigationpane, select sa-esxi-O2.vclass.local.

b. In the right pane, click the Configuretab.

Cc. Select VMkernel adapters under Networking.

d. Click ADD NETWORKING.

Leave VMkernel Network Adapter selected and click NEXT.

Select Select an existingstandard switch.

Select vSwitchO and click NEXT.

Leave the default port propertiesselected and click NEXT.

Leave Obtain IPv4 settingsautomaticallyselected and click NEXT and FINISH.
vmk1 appears under VMkernel adapters.
Check complianceof the cluster with the configurationprofile.
Select the SA-Compute-01cluster.
In the right pane, click the Configuretab.
Select Configurationunder Desired State.
Select the Compliancetab and click CHECK COMPLIANCE.
The host sa-esxi-O2.vclass.local is out of compliance.

Configuration
QS ‘hostsare out of compliance and 0 hosts have unknown status. (Checkedon 04/20/2023, 8:08:41 AM)

Settings Compliance OperationDetails

([[entex compuiance
| R U N PRE-cHECK
| REMEDIATE
J
Hoste Y

x
Q
sa-esxi-O02.vclass.local

JAsveniozvcaset
|
- e s x i -

sa-esui-Ot.velass local
Host is out of compliance
with desired configuration

62
 Remediate the cluster againstthe configurationprofile.

a. Click REMEDIATE.
A pre-checkautomaticallyruns before you can continue.

b. Expandeach host to view the details of the pre-check.

c. Click NEXT and review the impactdetails.
d. Click REMEDIATE.

Monitor the Recent Tasks pane.

The host mightbe rebooted as part of the remediation. When the host comes back online,a
second compliancecheck automaticallyruns.
In the navigationpane, select sa-esxi-O02.vclass.local.
The host remediation removed the additional VMkernel adapter.

Task 4: View the ConfigurationSettingsof the Cluster

You view the settingsof the cluster configurationin the vSphereClient and in the configuration
document.
1. n the vSphereClient,select the SA-Compute-01cluster in the navigationpane.
2 From the Configuretab, select Configurationunder Desired State.

3. Under Configuration,
click the Settingstab.

4 Explorethe available settings.

Settings Compliance Operation
Details
EXPORT | IMPORT

advanced_options
authentication

authorization

graphics

hardware
Select a setting
health

Export the configurationdocument to a JSON file.

a. From the Settingstab, click EXPORT.

b. Click DOWNLOAD.

c. Review the details of the download and click Save.

63
6. On the Linux taskbar,click Files.

7. Click Downloads.
8. Right-clickthe export-settings-config-xxxxxxxxxx.json
file and click Openwith Text Editor.

9. Inspectthe configurationsettingsin the JSON file.

You can edit the JSON file manuallyand importit back into the cluster.
10. Close the text editor and the Files window.

64
Lab 15 Workingwith Certificates

Objectiveand Tasks
Generate and replacea vCenter certificate usingthe vSphereClient:

1. Examine the Machine SSL Certificate

2. Generate a Certificate SigningRequest

3. Replacea Machine SSL Certificate with a PregeneratedCA Certificate

Task 1: Examine the Machine SSL Certificate

You investigatethe vCenter machine SSL certificate usingthe vSphereClient.
1. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMwarel1!

2. From the main menu, select Administration and select Certificate Managementunder
Certificates.

65
3. From the Machine SSL Certificate tile, select VIEW DETAILS.
NOTE

The followingscreenshot is an example.Your certificate information may be different.

< BACK TO CERTIFICATE MANAGEMENT

__MACHINE_CERT
SA-VCSA-O1.VCLASS.LOCAL

Certificate Information

4. Record the followingcertificate information for future comparison.

Valid from:
Valid until: _

Thumbprint: _.

a
Each time certificate is renewed, the current time is set as the Valid from time and the
Valid to time is set as 2 years from that moment.
The certificate thumbprint,also called a cert hash,is uniqueand changeswith each certificate
generated.
5. When you have finished reviewingthe Machine SSL certificate details,click BACK TO
CERTIFICATE MANAGEMENT at the top of the page.

6. Scroll down and click VIEW DETAILS for the first certificate under Trusted Root Certificates.

Ql. Who issued the certificate?

7. When you have finished reviewingthe Trusted Root certificate details,click BACK TO
CERTIFICATE MANAGEMENT to return to Certificate Management.

66
Task 2: Create a Certificate SigningRequest
You use vSphereCertificate Managerto create a certificate signingrequest (CSR)that you use
to request a signedcustom certificate from the domain controller certificate authority(CA) for
the lab.

1. Generate the CSR.

a. Under Machine SSL Certificate,click Actions > Generate Certificate SigningRequest

(CSR).
b. Enter the requireddetails to finish the certificate signingrequest.

Option Action

Organization En er: VMware

OrganizationUnit En er: Education

Country Se lect: United States

State/Province En er: California

Locality En er: Palo Alto

Email Address En er: [email protected]

c. When finished,click NEXT.

2. Click FINISH to close the wizard.

Generatingthe vCenter CSR in this task is for testingpurposes only. You will use pre-signed
certificates for importingand replacingthe Machine SSL certificate on vCenter in the next
task.

67
Task 3: Replacea Machine SSL Certificate with a Pregenerated
CACertificate
You import and replacethe VMware CA self-signedcertificate with an external CA-signed
certificate usingthe vSphereClient.

1. From the main menu, select Administration and select Certificate Managementunder
Certificates.

2. Importand Replacethe self-signedcertificate.

a. Under the Machine SSL Certificate tile, select Actions > Import and ReplaceCertificate.
The ReplaceCertificate wizard starts.
b. On the Choose type of certificate to replace,select Replacewith external CA
certificate (requiresprivate key).
c. Click NEXT.

A warningis placedin the interface for the user.

Replacewith externallysignedcertificate and private key x

2 vcenter server serces be ama retarted after succes replacement ofthe machine St cerca,
|
d. Under the Machine SSL Certificate text box, click BROWSE FILE.

e. From the folder /Desktop/Class Materials and Licenses/linux_ CA,

select ca_vesa.crt and click Open.
After selectingthis file, the text box will be populatedwith the CA-signedcertificate
information.
f. | Under the Chain of trusted root certificates box, select BROWSE FILE.
g. From the folder /Desktop/Class Materials and Licenses/linux CA,
select RootCA.crt and click Open.

After selectingthis file, the text box will be populatedwith the root and chain certificate
information.
h. Under the Private Key box, select BROWSE FILE.

i. From the folder /Desktop/Class Materials and Licenses/linux_CA,

select vmca_issued_key.key
and click Open.
After selectingthis file, the text box will be populatedwith the Private Key information.

68
 On the Replacewith external CA certificate page, click REPLACE.
Shortlyafter the new CA-signedcertificate import process successfullybegins(in
seconds),a message box indicatinga connection timeout in the vSphereClient should
display.This happensbecause replacinga securitycertificate causes vCenter services to
restart includingthe vSphereClient UI.

You will need to restart the web browser to reconnect to the vSphereClient. You will
do this at the end of the next step.

Connection Timeout

©Your vsphere Client session is no longer authenticated. Please login again

3. Clear the web cache and restart Firefox.

a. In anew Firefox tab, open the Firefox menu and select Settings.
a oH
sync and save data Signin

New tab ctrleT

New window CtrleN

New privatewindow Ctrl+shift+P

Bookmarks >

History >

Downloads ctrlsshift+Y
Passwords
‘Add-ons
and themes Ctrlashift+a

Print... ctrleP
Save page as... Ctrles
Find in page... Ctrl+F

Zoom =
100% + 7

tools
‘More >

Help >

Quit ctrl+Q

Alternatively,you open a new Firefox browser tab and enter

can
about: preferences in the Address box.
b. In the highlightedsearch box, search for cache.
Cc. Under Cookies and Site Data, select Clear Data.

69
 d. Inthe Clear Data dialogbox, deselect Cookies and Site Data and click Clear.

This action will clear the web cache of your Firefox browser.
Clear Data x

Clearing
all cookiesand site data stored byFirefox may signyou out of
websites and remove offline web content. he
Clearing data will not affect
your logins.

Cookies and SiteData (4.5MB)

You may get signedout of websites if cleared

CaeHEd
(©& Webcontent (148MB)
Will require websites to reload images and data

Cancel

e. Restart your Firefox browser.

4. Verify the certificate replacement.
After a longerwait (of at least 10 minutes),you must log back in to the vCenter instance
because restartingthe services ends the UI session.

a. Usingthe vSphereClient,log in to the vCenter sa-vcsa-01.vclass.local usingyour

vCenter lab credentials.

b. If you get receive the securitymessage Warning: Potential Security

Risk Ahead in your Firefox browser session, click Advanced... and
click Accept the Risk and Continue to proceedto the vCenter loginpage.

If you experiencedifficulties when attemptingto log in to the vCenter instance in Site A,

clear both Cached Web Content and Cookies and Site Data in the Firefox browser, then
retry from step 4a.
If you cannot log in to vCenter after services have restarted, attempt to log in usinga
new private Firefox window.
c. From the main menu, select Administration and select Certificate Managementunder
Certificates.

d. From the Machine SSL Certificate tile, select VIEW DETAILS.

70
Comparethe valid dates and thumbprintinformation with the certificate information
collected in an earlier task.

Valid from:
Valid until:

Thumbprint:
IMPORTANT

The valid dates and thumbprintof the current certificate should be different from the
previouscertificate.

71
Lab 16 MonitoringVirtual Machine
Performance

Objectiveand Tasks
Use the system monitoringtools to review the CPU workload:

1. Create a CPU Workload

2. Use Performance Charts to Monitor CPU Use

Task 1: Create a CPU Workload

You run the CPUBUSY scriptin each virtual machine to create a heavy CPU workload in your lab
environment.

1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

2. Power on Linux-CPU-01 and Linux-CPU-0O2.

a. From the main menu of the vSphereClient,select Inventory and click the Hosts and
Clusters icon.

b. In the navigationpane, click SA-Compute-O2

and select the VM tab.

c. Click the check box for Linux-CPU-01 and Linux-CPU-02.

d. Right-clickthe highlightedVMs and select Power > Power On.

3. From the main menu, select Inventory and click the VMs and Templatesicon.
4. In the navigationpane, expandsa-vcsa-01.vclass.local and expand SA-Datacenter.
5. ExpandLab VMs.

73
6. Onthe Summarytab for Linux-CPU-01 and Linux-CPU-02,click LAUNCH WEB CONSOLE.

7. Onboth virtual machine desktops,open the Linux Terminal and run CPUBUSY

./Desktop/cpubusy.pl

Task 2: Use Performance Charts to Monitor Host CPU Use

You Performance Charts to review the latest CPU readiness metrics for two virtual
use
machines.

1. Return to the vSphereClient.

2. View the CPU performancechart for the Linux-CPU-01 virtual machine.

a. In the navigationpane, select Linux-CPU-01.
b. In the right pane, click the Monitor tab and select Overview under Performance.

Scroll down and review the Performance Overview panes.

Select Advanced under Performance.

The real-time CPU usage graphappears.

Click the Chart Optionslink.

The Chart Optionsdialogbox opens.
In the Chart Metrics pane, verify that CPU is selected.
In the Timespandrop-downmenu, verify that Real-time is selected.

Under Select object for this chart, deselect the O check box.

The Linux-CPU-01 VM should be the only selected object.

In the Select counters for this chart list,verify that theReadiness and Usagecheck
boxes are the only boxes that are selected.

Click OK.
The CPU/Real-time chart for the Linux-CPU-01 virtual machine opens.

3. Openanew tab in the web browser and start a second vSphereClient instance.

a. To start the vSphereClient,select vSphereSite-A > vSphereClient (SA-VCSA-01)in

the bookmarks toolbar in Firefox.

4. Inthe second vSphereClient instance,repeat step 2 to view the CPU performancechart for
the Linux-CPU-02 virtual machine.

5. In the vSphereClient windows that show the CPU charts for Linux-CPU-01 and Linux-CPU-
02, view the Latest column for the Readiness metric in the Performance Chart Legend.

74
6. Record the latest CPU readiness value for each virtual machine and leave the Performance
Chart windows open.
e
=Linux-CPU-O1__—
e
=Linux-CPU-02__—
7. \Ineach VM console, close the Linux Terminal window to stop the CPUBUSY script.
IMPORTANT

This scriptmust be stopped in each virtual machine. If the scriptis left running,the
performanceof other labs mightbe affected.

In the vSphereClient windows that show the CPU charts for Linux-CPU-01 and Linux-CPU-
02, view the Latest column for the Readiness metric.
Wait for the chart to be updatedand compare the CPU ready value with what you recorded
in step 6.

Performance charts updateevery 20 seconds.

Ql. Did the CPU ready value change?If it did, what is the reason for the change?
10. Close the Linux-CPU-01 and Linux-CPU-02 consoles and the second vSphereClient tab.

75
Lab 17 UsingAlarms

Objectiveand Tasks
Create alarms to monitor virtual machine events and conditions:

1. Create a Virtual Machine Alarm to Monitor a Condition

Wn Triggerthe Virtual Machine Alarm

Create a Virtual Machine Alarm to Monitor an Event
fF Triggerthe Virtual Machine Alarm

a Deactivate Virtual Machine Alarms

a KnowledgeCheck

Task 1: Create a Virtual Machine Alarm to Monitor a Condition

You create an alarm to monitor a condition that occurs on a virtual machine.
1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphereClient (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMware1!

From the main menu, select Inventory and click the VM and Templatesicon.
Right-clickLinux-CPU-01 and select Alarms > New Alarm Definition.

The New Alarm Definition wizard opens.

Because you creatingan alarm for the Linux-CPU-01 virtual machine object,this alarm
are
monitors only that object. If you set the alarm on an object higherin the vCenter inventory,
the alarm appliesto the parent object and all relevant child objectsin the hierarchy.

77
 On the Name and Targets page, enter Linux-CPU-01 CPU Usage in the Alarm Name
text box.

The target type is Virtual Machine,and the target object is Linux-CPU-01.

Click NEXT.

On the Alarm Rule 1 page, define the trigger condition.

If VM CPU Usageis above 40% for 30 seconds,then trigger the alarm and show the alarm
as Warning.
a. From the first drop-downmenu, select VM CPU Usage.

b. From the select an operator drop-downfor the IF condition, select is above.

c. Inthe % text box, enter 40.

d. From the last drop-downmenu, select 30 sec.

e. For the THEN condition,select Show as Warningfrom the select severitydrop-down

menu.

f. Click NEXT.

On the Reset Rule 1 page, read the rule and do not changeanything.
The reset rule is to reset the alarm to Normal if the warningcondition is no longermet.
Click NEXT.

On the Review page, review the alarm information.

The alarm is active by default.

10. Click CREATE.

11. Verify that the alarm definition is created.

a. In the navigationpane, select Linux-CPU-01 and click the Configuretab.
b. Select Alarm Definitions.

c. Verify that the Linux-CPU-01 CPU Usagealarm appears in the alarm list.

d. If you cannot easilyfind the alarm,use the filter in the Alarm Name column and search
for some or all of the alarm name.
@ Winl0-02 > &
& | :actions

‘SummaryMonitor Configure Permissions Datastores Networks Snapshots Updates

Settings v_ Alarm Definitions

\VM SORS Rules
ADD EDIT_—ENABLE/DISABLE DELETE

Object |
vApp Options
Arm Name pe + betnedin oy

‘ScheduledTasks WwW
y
>
Policies

Guest User Mappings

78
Task 2: Triggerthe Virtual Machine Alarm
You trigger the virtual machine alarm,reset the virtual machine alarm,and view the events that
occurred when the alarm was triggered.
1. Generate CPU activity in Linux-CPU-01 to trigger the Linux-CPU-01 CPU Usagealarm.
a. Onthe Summarytab for Linux-CPU-01,click Launch Web Console.

b. On Linux-CPU-O1's desktop,open the Linux Terminal and run CPUBUSY.

./Desktop/cpubusy.pl
The CPUBUSY scriptshould generate enoughactivity to reach 40 percent CPU usage.

2. Return to the vSphereClient.

3. Verify that the Linux-CPU-01 CPU Usagealarm is triggered.
a. On the Linux-CPU-01 page, select the Monitor tab and select TriggeredAlarms under
Issues and Alarms.

b. Wait for at least 30 seconds and refresh the TriggeredAlarms pane.

c. Verify that the Linux-CPU-01 CPU Usagealarm appears in the TriggeredAlarms list.
4. Under Tasks and Events, select Events.

An entry states that the Linux-CPU-01 CPU Usagealarm changedfrom green to yellow.

5. Acknowledgethe triggeredalarm.
a. In the right pane under Issues and Alarms,click TriggeredAlarms.
b. Select the check box next to Linux-CPU-01 CPU Usage.
c. Click ACKNOWLEDGE.

The TriggeredAlarms pane shows the time that the alarm was acknowledgedand the
user that acknowledgedthe alarm.

6. Stop the CPUBUSY script.

a. Return to the Linux-CPU-01 console tab.

b. Close the Linux Terminal window to stop the CPUBUSY script.

79
7. Verify that Linux-CPU-01 returns to a normal state.

a. Return to the vSphereClient.

b. Refresh the TriggeredAlarms pane and verify that the Linux-CPU-01 CPU Usagealarm
no longerappears.

You mighthave to wait a minute for CPU usage to decrease.

c. Inthe navigationpane, verify that Linux-CPU-01 icon does not show the warningsymbol.
d. Onthe TriggeredAlarms page, select Events under Tasks and Events.

An entry states that the Linux-CPU-01 CPU Usagealarm changedfrom yellow to green.

8. Close the Linux-CPU-01 console tab.

Task 3: Create a Virtual Machine Alarm to Monitor an Event

You create an alarm to monitor an event that occurs on any virtual machine in SA-Compute-0O2.
1. In the navigationpane, click the Host and Clusters icon.

2. Select SA-Compute-O2
and click the Configuretab in the right pane.

3. Select the Alarm Definitions pane and click ADD.

The New Alarm Definition wizard starts.

4. Onthe Name and Targetspage, configurethe alarm name and target type.
a. Enter VM Suspended in the Alarm Name text box.

b. Select Virtual Machines from the Target type drop-downmenu.

The target objectsare all virtual machines in SA-Compute-O2.

c. Click NEXT.

5. On the Alarm Rule 1 page, define the trigger condition.

If a VM is suspended,then trigger an alarm,and show the alarm as Warning.

a. From the first drop-downmenu, select VM suspended.

The VM suspendedevent appears under the Power and Connection State category, or
type Suspendin the search box.
b. From the select severity drop-downmenu, select Show as Warning.
c. Click NEXT.

80
 Configurethe reset rule.

If the VM is resuming,
then reset the alarm to normal.

a. On the Reset Rule 1 page, turn on the Reset the alarm to green toggle.

b. Click the first drop-downmenu for the IF condition and enter resuming in the Search
box.

c. Select VM resumingfrom the search results.

d. Click NEXT.

On the Review page, review the alarm information.

The alarm is active by default.

Click CREATE.

Verify that the alarm definition is created.

If you cannot easilyfind the alarm,use the filter in the Alarm Name column and search for
some or all of the alarm name.

Task 4: Triggerthe Virtual Machine Alarm

You trigger the virtual machine alarm,reset the virtual machine alarm,and view the events that
occurred when the alarm was triggered.

1. Triggerthe VM Suspendedalarm by suspendingLinux-CPU-01.

a. In the navigationpane, right-clickLinux-CPU-01 and select Power > Suspend.
b. Click YES to confirm suspending
the VM.

Verify that the VM Suspendedalarm is triggered.

a. In the navigationpane, select SA-Compute-0O2 .

b. In the right pane, click the Monitor tab and under Issues and Alarms,select Triggered
Alarms.

c. Monitor the Recent Tasks pane and wait for the Suspendvirtual machine task to
complete.
d. Verify that the VM Suspendedalarm appears in the TriggeredAlarms list.
e. Refresh the TriggeredAlarms pane.
In the navigationpane, right-clickLinux-CPU-01 and select Power > Power On.

Wait for Linux-CPU-01 to power on.

81
4. Verify that Linux-CPU-01 has returned to a normal state.

a. In the navigationpane, verify that Linux-CPU-01's icon does not show the warning
symbol.
b. Refresh the TriggeredAlarms pane.

The VM Suspendedalarm no longerappears in the list.

c. Under Tasks and Events, select Events.

You should see an entry statingthat the VM Suspendedalarm changedfrom yellow to

green.

Task 5: Deactivate Virtual Machine Alarms

You deactivate the Linux-CPU-01 CPU Usageand the VM Suspended
alarms.

1. Deactivate the Linux-CPU-01 CPU Usagealarm.

a. Inthe navigationpane, select Linux-CPU-01.

b. Click the Configuretab and select Alarm Definitions.

c. Search for the Linux-CPU-01 CPU Usagealarm.
If necessary, use the filter in the Alarm Name column to search for the alarm.

d. Click the Linux-CPU-01 CPU Usagecheck box and click DISABLE.

e. Verify that the Linux-CPU-01 CPU Usagealarm is deactivated.

Repeatstep 1to deactivate the VM Suspendedalarm.
object because the alarm is defined
Perform this step on the SA-Compute-O2 on this object.

In the navigationpane, right-clickLinux-CPU-0O1and select Power > Power Off.

Verify that Linux-CPU-01 has powered off.

Task 6: KnowledgeCheck
You are tasked to create and triggera virtual Machine alarm to monitor an event

1. Create a new alarm definition on Linux-CPU-O2 called: VM Powered Off

2. Configurethe alarm to Show as Warningand to Reset the alarm to green when the VM is
Powered on

Triggerthe alarm by poweringoff Linux-CPU-02

Power on Linux-CPU-0O2,
confirm the alarm has reset and deactivate the alarm

Power off Linux-CPU-02 to finish this task.

82
Lab 18 ConfiguringLockdown Mode

Objectiveand Tasks
Configureand test lockdown mode:
1. Start the SSH Service

2. Enable and Test Lockdown Mode

3. Disable Lockdown Mode

4 KnowledgeCheck

Task 1: Start the SSH Service

You use the vSphereClient to verify that the SSH service is runningon sa-esxi-01.vclass.local.
1. Log in to the vSphereClient on Site A.
a. Openthe Firefox web browser and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphere Client (SA-VCSA-01).

c. On the loginpage, enter the vCenter lab credentials.

User name: [email protected]
Password: VMware1!

WN From the main menu, select Inventory and click the Hosts and Clusters icon.

In the navigationpane, select sa-esxi-04.vclass.local.

F In the right pane, click the Configuretab.
a Under Systemon the page menu to the left, click Services.
a Start the SSH service if not alreadyrunning.

83
Task 2: Enable and Test Lockdown Mode
You enable lockdown mode for your assignedESXi host.
In lockdown mode, all users except those defined in the ExceptionUsers list are denied direct
access to the host vSphereESXi Shell,SSH,and direct console user interface (DCUI).

1. In the navigationpane, select sa-esxi-04.vclass.local.

2. Inright pane, click the Configuretab.
3. Under System,click SecurityProfile.

4. Enable normal lockdown mode.

a. In the right pane, click EDIT next to Lockdown Mode.

The Lockdown Mode page appears.

b. On the Lockdown Mode page, click Normal.

c. Select the ExceptionUsers tab.

The user list is empty.

d. Click OK.

5. Verify that the user root is denied access in this SSH session.

a. Click Remmina in the Linux taskbar.

b. Double-Click SA-ESXi-04 to login.

Remmina automaticallytries to log in as root. On the SSH credential page, click ok if

promptedto log in as the root user.

c. Verify that user root is not loggedin to the SSH session.

d. Close the Remmina window.

6. Verify that the SSH service is runningon the ESXi host.

a. Inthe navigationpane, select sa-esxi-04.vclass.local.

b. In the right pane, click the Configuretab.

c. At the left under System,click Services.
You can see that the SSH service is not disabled and it is runningon the ESXi host.

84
 Verify the root user is denied access in the ESXi UI.

a. Openthe Firefox web browser, open a new tab and click vSphere Site-A on the
bookmarks toolbar.
b. Select Host Client (SA-ESXI-04).
c. Onthe loginpage, enter the ESXi lab credentials.

User name: root

Password: VMwarel1!

d. Verify that user root is unable to log in.

e. Close the browser tab for Host Client (SA-ESXI-04).

Task 3: Disable Lockdown Mode

You disable lockdown mode for your assignedESXi host.
1. From the main menu, select Inventory and click the Hosts and Clusters icon.
2 In the navigationpane, select sa-esxi-04.vclass.local.
3 In the right pane, click the Configuretab.
4. In the navigationpane under System,click SecurityProfile.
5 You disable lockdown mode on your ESXi host.
a. In the right pane, click Edit next to Lockdown Mode.

The Lockdown Mode page appears.

b. On the Lockdown Mode page, click Disabled.

c. Click OK.

Disable the SSH service on your ESXi host.

a. Click the Hosts and Clusters icon in the inventory.

b. In the navigationpane, select sa-esxi-04.vclass.local.
c. Inthe right pane, click the Configuretab.
d. At the left under System,click Services.
e. Stop the SSH service.

85
Task 4: KnowledgeCheck
You are tasked to configurelockdown mode on an ESXi host

1... Configurelockdown mode on sa-esxi-O1.vclass.local.

2. Confirm lockdown mode has been configuredsuccessfully.

3. Disable lockdown mode on sa-esxi-O1.vclass.local.

86
Lab 19 (Simulation)Configuring
IdentityFederation to Use Microsoft
ADFS

Objectiveand Tasks
ConfiguringIdentityFederation to use Microsoft ADFS:
1. ConfigurevCenter IdentityProvider Federation

2. Log Into vCenter Usingan AD Account

IMPORTANT

Do not performthe steps from this simulation in your actual lab environment.

Do not refresh, navigateaway from,or minimize the browser tab hostingthe simulation.
These actions mightpause the simulation,and the simulation mightnot progress.

Task 1: Lab Simulation

Youconfigurethe ADFS identitysource and add permissions to vCenter for a user from the
ADFS identitysource. You then log into vCenter as the user authenticated from ADFS.

1. In your local desktop,open a web browser.

2. Go to https://core-vmware.bravais.com/s/dfxOwDotmsZVWT6RQaiK
to open the
simulation.

3. After you completethe simulation,close the simulation browser tab.

87
Lab 20 ConfiguringvCenter to work
with an external KMS

Objectiveand Tasks
Add a Key ManagementServer (KMS)to your vCenter from the vSphereClient:
1. Configurea KMS on vCenter

2. Establish Trust between KMS and vCenter

Task 1: Configurea KMS on vCenter

You configureKMS from the vSphereClient.
1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser, click vSphereSite-A on the bookmarks toolbar.

b. Select vSphereClient (SA-VCSA-01).

c. On the loginpage, enter the vCenter Server lab credentials.

User name: [email protected]

aR
Password: VMwarel1!

N From the main menu, select Inventory and click the Host and Clusters icon.

wo In the left pane, click sa-vcsa-01.vclass.local and select the Configuretab.

In the middle pane, select Key Providers under Security.
Click ADD and select Add Standard Key Provider.

89
 In the wizard,assignthe KMS configuration.

Name sa-kms-01.vclass.local

KMS sa-kms-O1.vclass.local

Address 172.20.10.193

Port 5696

Click ADD KEY PROVIDER.

Click TRUST on the Make vCenter Trust Key Provider page.

Verify the Key ManagementServer is added and appears under Key Providers.
Select sa-kms-01.vclass.local (default).

The Status of 1KMS not connected will appear.

Task 2: Establish Trust between KMS and vCenter

You establish trust between the KMS server and vCenter.

1. On the Key Providers tab, click sa-kms-O1.vclass.local.

2. Click ESTABLISH TRUST and select Make KMS trust vCenter.

The Make KMS trust vCenter wizard appears.

For Choose a method, select KMS certificate and private key and click NEXT.
a. For KMS Certificate,click UPLOAD A FILE,select /Downloads/KMS
Keys/root_certificate.pem and click Open.
b. Key, click UPLOAD A FILE, select /Downloads/KMS
For KMS Private
Keys/root_key.pemandclick Open.
Click ESTABLISH TRUST.

Confirm trust is established between KMS and vCenter.

90
Lab 21 Creatingan EncryptedVirtual
Machine

Objectiveand Tasks
Encryptanew VM with a standard key provider:
1. Deployan EncryptedVM
2. Confirm the VM is Encryptedwith a Standard Key Provider

Task 1: Creatingan EncryptedVirtual Machine

You encrypt the virtual machine Photon-ENC usinga virtual machine encryptionpolicy.
1. Log in to the vSphereClient on Site A.

a. Openthe Firefox web browser and click vSphereSite-A on the bookmarks toolbar.

b. Select vSphereClient (SA-VCSA-01).

c. Onthe loginpage, enter the vCenter lab credentials.

User name: [email protected]

Password: VMwarel1!

2. From the main menu, select Inventory and click the VMs and Templatesicon.
3. Right-clickLab VMs and select New Virtual Machine.

The New Virtual Machine wizard appears.

4. On the Select creation type page, verify that Create a new virtual machine is selected and
click NEXT.

91
 On the Select a name and folder page, enter the VM name and choose the VM location.

a. Enter Photon-ENC in the Virtual machine name text box.

b. Leave Lab VMs selected and click NEXT.

On the Select a compute resource page, expand SA-Datacenter > SA-Compute-O2,

select
sa-esxi-O06.vclass.local and click NEXT.

On the Select storage page, select Encryptthis virtual machine.

After selectingthe Encryptcheck box, the "ManagementStoragePolicy Encryption"policy -

is automaticallyselected. From the VM StoragePolicydrop-downmenu, it now only shows

policieswhere encryptionis enabled.
Select vsanDatastore and click NEXT.

On the Select compatibilitypage, keep the default and click NEXT.

10. On the Select a guest OS page, select Guest OS FamilyLinux and VMware Photon OS
(64bit) from the Guest OS Version drop-downmenu and click NEXT.
11. On the Customize hardware page, configurevirtual hardware settings.
a. ConfigureCPU, memory, and storage.
Option Action

CPU Select 1 from the drop-downmenu

Memory Enter 1 GB

Hard Disk 1 Enter 2 GB

b. For New Network, verify that VM Network is selected.

c. For New CD/DVD Drive, select Datastore ISO File from the drop-downmenu.
d. In the Select File window,click OPSCALE-Datastore.

e. Click the ISO folder and select the Photon OS ISO image:photon-3.0-a0f216d.iso

f. Click OK.

g. Expandthe New CD/DVD Drive to view more details.

h. Select the Connect At Power On check box.

i. Click NEXT.
12. On the Readyto completepage, review the information and click FINISH.

13. In the navigationpane, verify that the Photon-ENC VM appears in the Lab VMs folder.

92
Task 2: Confirm the VM is Encryptedwith a Standard Key Provider
You verify that the VM is encryptedwith a Standard Key Provider.

1. Select Photon-ENC in the navigationpane.

2. In the Summarytab, review the settingsin the different panes and verify that the settings
show the correct configuration
for the VM.

In the Virtual Machine Details pane, verify that the VM is encryptedwith a Standard Key
Provider.

93
Answer Key
Lab 5 ManagingResource Pools
Task 4: Verify Resource Pool FUNCTtIONAILY oo. ess eeseestessesseeseessesseeseesteaseeseeseeses
19
Ql. What is the number of shares for this RP-Test (Low) resource pool?
Al. 2,000.
Q2. What is the number of shares for this RP-Production (High)resource pool?
A2. 8,000.
Q3. What is the difference in performancebetween the two virtual machines?
A3. The RP-Test resource pool,and the virtual machine in it, have only one-fourth of the CPU
shares that the RP-Production resource pool has. Therefore, the virtual machine in the
RP-Test resource pool receives only one-fourth of the CPU cyclesof the logicalCPU to
which the virtual machines are pinned.
Lab 6 EnablingvCLS Retreat Mode
Task 3: Revert the CHange .o..ccccccccsssssssssesesessesessesesssesssssusscsesessssssesessacsueseansusscseseeseaees
23
Ql. What is the number of vCLS VMs deployed?
Al. Two vCLS VMs.

Lab 10 Viewinga vSAN Datastore Configuration

Task 1:View VSAN Datastore
a Configuration n.....cccccccccccscssescssessessesessessessstesessesesseesenss
41
Ql. How many storage devices are in this disk group?
Al. Two.
Q2. What are the drive types?
A2. All storage devices are flash drives (SSD).
Q3. What tier does each drive belongto?
A3. One 5 GB flash drive is used for the cache tier and one flash drive is used for the capacity
tier (if you mouse over the progress bar showingthe currentlyused capacity,you can
see it's disk)
a 10 GB
Task 2: View the VSAN Default StoragePolicy oo.ccccccccccccscesesseseesesestesessestesesseeseeese
44
Ql. Why is the policy'seffective free space the value that it is?
Al. Because the storage policy uses RAID 1 (mirroring),RAID 1 providesfull redundancy.A
full copy of the VM is maintained and,therefore, the VM takes up twice the amount of
space as a VM that is not mirrored.

95
Lab 12 CreatingvSAN StoragePolicies
Task 1: Examine the Default StoragePOliCy w.ccccccccccccscsssseesessesestssessesseseesessestesseseaness
53
Ql. How many failures can be tolerated?

Al. One.
Task 2: Create a Custom Policywith No Failure Tolerance .....ccccccccccecccsceeseseeee 54
Ql. Why is the storage space size equalto the VM size?
Al. Because the number of failures to tolerate is zero, a mirrored copy of the VM is not
created.
Task 3: Assignthe CUStOMPOIICY
tO A VM .i.cccccccccssesseseesessestestesessessesessesusetesseseseesseseenees 55
Ql. Why do the VM home and Hard disk 1 objectshave warningicons?
Al. The selected storage policyis only compatiblewith vSAN datastores and the VM is
currentlyon a VMFS datastore.
Q2. On which datastore is theVM located?
A2. OPSCALE-Datastore.
Q3. Which storage policy is the VM using?
A3. VSAN-VM-Custom-Policy-FT TO.
Q4. Is the VM compliantwith its storage policy?
A4. No. The status is Not Applicable.

Lab 15 Workingwith Certificates

Task 1: Examine the Machine SSL Certificate occ ecseeseeseesnecsneesnecsneesneesneenneeets
65
Ql. Who issued the certificate?
Al. Under Issuer Information, the Issuer Name field contains CA, which indicates that VMware
CA issued the certificate.

Lab 16 MonitoringVirtual Machine Performance

Task 2: Use Performance Charts to Monitor Host CPU USe..... i ceeeeeseeeeenee
74
Ql. Did the CPU ready value change?If it did,what is the reason for the change?
Al. Yes. After the scriptsstop, the CPU ready value decreases significantly
because CPU
contention does not occur.

96