vSphere Service Console Firewall Commands

In the VCP4 exam blueprint, Objective 1.3 states that you “Understand Service Console firewall operation”.

The command syntax is esxcfg-firewall -<options>

The service console has a small number of services predefined in the firewall.  Use the -e and -d options to enable/disable these services.
To open/close a custom port that is not predefined, use the -o or -c options.

Start by opening an SSH session to the ESX server and entering su- to establish root.

esxcfg-firewall -s
Lists the predefined services known to the VMware host.
Remember “s” for services.

Here’s an example of the command output on an ESX3.51 U2 host showing the predefined services.

esxcfg-firewall -q
Queries the current firewall configuration.
Shows Enabled services and Opened ports.
Remember “q” for query.

esxcfg-firewall -e  <service name>
Enables a predefined service.
Remember “e” for enable service.

esxcfg-firewall -d <service name>
Disables a predefined service.
Remember “d” for disable service.

esxcfg-firewall -o <port, tcp|udp, in|out, name>
Opens a port that is not already defined as a service.
Remember “o” for open port.

esxcfg-firewall -c <port, tcp|udp, in|out, name>
Closes a port that is not already defined as a service.
Remember “c” for close port.

esxcfg-firewall -r
Resets all firewall options to default settings.
Remember “r” for reset.

VCP4 Exam Update

I’ve received a couple of emails from folks wanting to know how I did on the VCP exam.  Regretfully, I have to report that I failed my first attempt, missing a passing score by 32 points.

In hindsight I’m not really surprised I didn’t do well as I really didn’t know what to expect and knew I was “pushing the envelope” in terms of preparation time.

Here are some things to consider if you are thinking about taking the exam and a couple of things  I’m doing to prepare for my second attempt.

1.  You can’t pass the exam by simply taking the class.  The class is good, but it does not cover the exam topics in enough depth to get you through the exam.
2.  Everything you need to know is outlined in the exam blueprint.
3.  All of the info you need to study is in the VMware documentation.
4.  I’m reviewing all of the free training material offered on VMware’s Partner website.
5.  Consider investing a couple of hours and completing the VMware Technical Sale Professional (VTSP) training.  There’s good material there that helped me fill in some of the gaps in my product knowledge.
6.  Consider some supplementary study material.  I’m reading Scott Lowe’s new book “Mastering VMware vShpere 4″.  It’s not a study guide, but is full of good information on vSpheres features and configuration.
7.  Know your configuration maximums but don’t spend all of your time studying them.

The exam is not difficult, the questions are fair and easy to understand.  I was lacking knowledge in two critical areas and it really showed in my score.

Even after deploying VMware solutions for the last couple years the certification process has taught me a great deal about the product.  I guess that’s the whole idea isn’t it?

In terms of ROI, I’ve already gone back to a few of the clients I work with and suggested some changes/enhancements to their configurations.  Having good instructors for the class and  combing through the documentation studying for the exam has opened my eyes to vSphere’s capabilities.

So far I’d have to say that going through the VCP certification process has had a very positive impact on my ability to consult, engineer, deploy and support vSphere.

VCP4 Exam Blueprint – Objective 3.2 – Configure iSCSI SAN Storage

VCP4 Exam Blueprint

Objective 3.2 – Configure iSCSI SAN Storage

Knowledge

Page numbers refer to the VMware iSCSI SAN Configuration Guide pdf.

1.  Identify iSCSI SAN hardware components (pg. 9)
-Host Bus Adapters (HBA)
-Network Interface Cards (NIC)
-Switches
-Routers
-Cables
-Storage Processors (SP)
-Storage Disk Subsystems

2.  Determine use cases for hardware vs. software iSCSI initiators
-Hardware Initiator – specialized iSCSI HBA, responsible for all iSCSI and network processing and management
-Hardware initiators provide better performance and throughput by offloading iSCSI and TCP processing overhead.

-Software Initiator – Code built into the VMkernel that allows host to connect to the storage device through a std Ethernet adapter.
-Software initiators provide adequate performance for most applications, are less complex and easier to implement.

3.  Configure the iSCSI Software Initiator (pg. 30)
-Configure a VMkernel port for the physical network adapter.
-Enable the software iSCSI initiator
-Activate multi-pathing using the port binding technique on the ESX host if you use multiple network adapters
-Enable jumbo frames if needed and supported.  Jumbo frames must be enabled for each vSwitch via the CLI.
vicfg-vswitch -m <MTU> <vSwitch>
-For jumbo frames, you must create a VMkernel network interface enabled with jumbo frames.
esxcfg-vmknic -a -I <ip address> -n <netmask> -m <MTU> <port group name>

4.  Configure Dynamic/Static Discovery (pg. 35)
-Dynamic Discovery (Send Targets) – the server sends a list of available targets in response to the Send Targets request.
-Targets discovered via Dynamic Discovery are added to the Static Discovery tab
-Static Discovery – the initiator uses a list of targets (IP addresses and target names)
-Required privilege: Host.Configuration.Storage Partition Configuration
-Configuration>Storage Adapters>Properties>Dynamic Discovery>Add
-You cannot change the IP address, DNS name, or port number of an existing Send Targets server. delete the existing server and add a new one.

5.  Configure CHAP Authentication (pg. 37)
-ESX/ESXi supports CHAP at the adapter level.
-Software iSCSI supports per-target CHAP
-For software iSCSI, the CHAP name should not exceed 511 and the CHAP secret 255 alphanumeric characters.
-For hardware iSCSI, the CHAP name should not exceed 255 and the CHAP secret 100 alphanumeric characters.
-Required privilege: Host.Configuration.Storage Partition Configuration
-Configuration>Storage Adapters>Properties>General Tab>CHAP

6.  Configure VMkernel port binding for iSCSI Software multi-pathing  (pg. 32)
-You must create one VMkernel port for each network adapter before you can set up multipathing
-esxcli swiscsi nic add -n <port_name> -d <vmhba>

7.  Discover LUNs  (pg. 60)
-Perform a rescan each time you create a new LUN on the SAN
-By default, the VMkernel scans for LUN 0 to LUN 255 for every target (a total of 256 LUNs).
-You cannot discover LUNs with a LUN ID number that is greater than 255.
-Modify the Disk.MaxLUN parameter to improve LUN discovery speed.
-Configuration>Advanced Settings>Disk>Disk.MaxLUN

8.  Identify iSCSI addressing in the context of the host (pg. 10)
-IP Address
-iSCSI name (world wide unique name)
-iSCSI alias (friendly name, not unique)

-IQN (iSCSI Qualified Name) format  iqn.yyy-mm.naming-authority:unique name
-the naming authority is listed in reverse syntax

-EUI (Enterprise Unique Identifiers) format  eui.<16 hex digits>

Tools
-iSCSI SAN Configuration Guide
-Product Documentation
-VMware vSphere Client
-esxcli