Wednesday, May 28, 2014

Back To Basics: Configuring Standard vSwitch with PowerCLI (Part Three of Three)

Post by Mike Laverick, Senior Cloud Infrastructure Evangelist, Competitive Team This post originally appeared on Mike Laverick’s blog Introduction In this final part of the three parter on the Standard vSwitch I look at exactly the same configuration as achieved with the Web Client. Standard vSwitch benefit greatly from the strategic use of Foreach loops. […]]> Post by Mike Laverick, Senior Cloud Infrastructure Evangelist, Competitive Team

This post originally appeared on Mike Laverick’s blog


Introduction


In this final part of the three parter on the Standard vSwitch I look at exactly the same configuration as achieved with the Web Client. Standard vSwitch benefit greatly from the strategic use of Foreach loops. In my case I use Foreach loop to list all my ESX hosts (I only 3 per vCenter environment!) and then repeat the configuration. In a larger environment you may well want to use the get-cluster cmdlet to limit the scope of your configuration to particular ESX hosts in a particular cluster.


The other thing I would say is that these are quite crude examples – deliberately so. There�s no error checking or validation.


One thing I am stumped by is how to use PowerCLI to add management ports to the VMware ESX host. I�ve worked that out for VMotion and FT, but not for management. My main reason is to show how to do that for high-availability to avoid network split-brain. If anyone can help me out on that I would update this post, and credit you…


Creating an Internal Standard vSwitch


This script creates an internal vSwitch. An internal switch doesn�t allow for any outbound communication from the physical ESX host. Internal vSwitch are limited in use because generally you want to access the VM from outside world. But they can be useful when say building a VM and you want the NIC to function, but you don�t want folks able to RDP/PuTTy into the VM. In addition to creating a vSwitch called vSwitch1, it also adds VM portgroup called �IsolatedNetwork� as well.



Foreach ($vmhost in (get-vmhost))
{
$vswitch1 = New-VirtualSwitch -VMHost $vmhost -Name vSwitch1
New-VirtualPortGroup -VirtualSwitch $vswitch1 -Name IsolatedNetwork
}

Creating an Basic Standard vSwitch


This script does exactly the same as above, except it maps a physical network card to the vSwitch. This offers basic communication to the outside world, but critically no network redundancy. So it may be useful in circumstance where network redundancy isn�t a massive requirement. Generally, you will want to give network redundancy to VMs and storage networks – but other ancillary communications might it might not be needed. .



Foreach ($vmhost in (get-vmhost))
{
$vswitch2 = New-VirtualSwitch -VMHost $vmhost -Name vSwitch2 -Nic vmnic1
New-VirtualPortGroup -VirtualSwitch $vswitch2 -Name BasicConnectivity
}

Note:Previous editions of VMware ESX would also require the -NumPorts parameter to indicate the number of ports (think of them like the little ethernet RJ on a physical switch except they are in software, not hardware!) on the vSwitch. This setting is no longer significant in vSphere 5.5 since Standard vSwitch support the �elastic� creation of ports on demand.


Creating an Teamed Standard vSwitch with VLAN Tagging


In this example I kill two birds with one script. First handling network redundancy and load-balancing by mapping the physical nics vmnic2 and vmnic3 to the vSwitch, and at the same time enabling VLAN support. Despite all the wonders which is network overlaying with methods like VMware VXLAN and VMware NSX, its still pretty common to see people segmenting their networks with the Ye Olde VLAN. VMware supports a �tagging� process by which ethernet packets are tagged as the leave the ESX host with a VLAN ID. 4 bytes are added to the packet to basically say �hello I�m a VLAN Tagged packet AND my VLAN ID is…�. The tagging process adds teenie-weeny CPU overhead, so small that in this day age of CPUs its almost invisible. It allows the VMware ESX host address thousands of VLAN�s despite having a limited number of NICS.



Foreach ($vmhost in (get-vmhost))
{
$vswitch3 = New-VirtualSwitch -VMHost $vmhost -Name vSwitch2 -Nic vmnic2,vmnic3
New-VirtualPortGroup -VirtualSwitch $vswitch3 -Name VLAN12 -VLanID 12
New-VirtualPortGroup -VirtualSwitch $vswitch3 -Name VLAN13 -VLanID 13
New-VirtualPortGroup -VirtualSwitch $vswitch3 -Name VLAN14 -VLanID 14
New-VirtualPortGroup -VirtualSwitch $vswitch3 -Name VLAN15 -VLanID 15
}

Note:Previous editions of VMware ESX would also require the -NumPorts parameter to indicate the number of ports on the vSwitch. This setting is no longer significant in vSphere 5.5 since Standard vSwitch support the �elastic� creation of ports on demand.


Adding a new VLAN Portgroup to an existing Standard vSwitch


Okay so one day a new bunch of VMs are created for a new project – and the application owner demand their own VLAN to keep their stuff separate from other peoples stuff. The application owner is resolute in their belief that VLANs automagically mean more security and control over his VMs. Try, not to raise your eyebrows and sigh. But how to go round all those VMware ESX hosts quickly and consistently and the new VLAN? With PowerCLI that�s how.



Foreach ($vmhost in (get-vmhost))
{
$vswitch3 = Get-VirtualSwitch -VMHost $vmhost -Name vSwitch3
New-VirtualPortGroup -VirtualSwitch $vswitch3 -Name VLAN16 -VLanID 16
}

Adding a range VLAN Portgroups to an existing Standard vSwitch


This PowerCLI script uses a range to add portgroups named VLAN20 to VLAN25 on to vSwitch0 each with the VLAN Tagging Value set accordingly. The range is a sequence of numbers. This case 20, 21, 22, 23, 24, and 25. The PowerCLI script use this range to loop around each ESX hosts adding VLAN20/21/22/23/24/25 to each one.



20..25 | Foreach {
$Num = $_

(Get-VMHost | sort-object name) | foreach {
New-VirtualPortGroup -VirtualSwitch (Get-VirtualSwitch -Name vSwitch0 -VMHost $_) -Name VLAN$num -VLanId $num
}
}

Creating a Teamed Standard vSwitch for Load-Balanced iSCSI communications


In this case a .CSV file is configured with the unique IP addresses used for IP Storage Communication


Using the import-csv cmdlet the variables of vmhost, storage0ip and storage1ip are read. They are then referenced in a ForEach-Object loops that configures each VMware ESX.



Import-CSV vmhosts.csv | ForEach-Object {
$hostname = $_.vmhost
$ipstorage0 = $_.storage0ip
$ipstorage1 = $_.storage1ip

$vswitch4 = New-VirtualSwitch -VMHost $hostname -Name vSwitch4 -Nic vmnic2,vmnic3
New-VMHostNetworkAdapter -VMHost $hostname -VirtualSwitch $vswitch4 -PortGroup IP-Storage0 -IP $ipstorage0 -SubnetMask 255.255.255.0
New-VMHostNetworkAdapter -VMHost $hostname -VirtualSwitch $vswitch4 -PortGroup IP-Storage1 -IP $ipstorage1 -SubnetMask 255.255.255.0
Get-VirtualPortGroup -VMHost $HostName -VirtualSwitch $vswitch4 -Name IP-Storage0 | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive vmnic2 -MakeNicUnused vmnic3
Get-VirtualPortGroup -VMHost $HostName -VirtualSwitch $vswitch4 -Name IP-Storage1 | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive vmnic3 -MakeNicUnused vmnic2
}

Modifying a Teamed Standard vSwitch for Load-Balanced iSCSI communications


In this case a .CSV file is configured with the unique IP addresses used for IP Storage Communication


In this Get-vSwitch, Get-VMhost, and Get-VMHostNetworkAdapter are used to retrieve the details of vSwitch0. Then the cmdlet Add-VirtualSwitchPhysicalNetworkAdapter is used to add vmnic1 to vSwitch0. This used to be done with Set-VirtualSwitch -nic but this method has since become depreciated. This something to watch out for as you upgrade from one flavour of vSphere to another – PowerCLI can and does change, and that does sometime necessitate the gradual removal of redundant methods that are no longer needed.



Import-CSV vmhosts.csv | ForEach-Object {
$hostname = $_.vmhost
$ipstorage0 = $_.storage0ip
$ipstorage1 = $_.storage1ip

$vswitch0 = Get-VirtualSwitch -VMHost $hostname -Name vSwitch0
$vmnic1 = Get-VMhost $hostname | Get-VMHostNetworkAdapter -Physical -Name vmnic1
Add-VirtualSwitchPhysicalNetworkAdapter -VirtualSwitch $vswitch0 -VMHostPhysicalNic $vmnic1 -confirm:$false
New-VMHostNetworkAdapter -VMHost $hostname -VirtualSwitch $vswitch0 -PortGroup IP-Storage0 -IP $ipstorage0 -SubnetMask 255.255.255.0
New-VMHostNetworkAdapter -VMHost $hostname -VirtualSwitch $vswitch0 -PortGroup IP-Storage1 -IP $ipstorage1 -SubnetMask 255.255.255.0
Get-VirtualPortGroup -VMHost $HostName -VirtualSwitch $vswitch0 -Name IP-Storage0 | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive vmnic0 -MakeNicUnused vmnic1
Get-VirtualPortGroup -VMHost $HostName -VirtualSwitch $vswitch0 -Name IP-Storage1 | Get-NicTeamingPolicy | Set-NicTeamingPolicy -MakeNicActive vmnic1 -MakeNicUnused vmnic0
}

Creating an VMkernel Port for VMotion


In this case a .CSV file is configured with the unique IP addresses used for VMotion


In this case cmdlet Add-VirtualSwitchPhysicalNetworkAdapter is used to enable VMotion on a portgroup called VMotion.



Import-CSV vmhosts.csv | ForEach-Object {
$hostname = $_.vmhost
$vmotion = $_.vmotionIP

$vswitch0 = Get-VirtualSwitch -VMHost $hostname -Name vSwitch0
New-VMHostNetworkAdapter -VMHost $hostname -VirtualSwitch $vswitch0 -PortGroup VMotion -IP $vmotion -SubnetMask 255.255.255.0 -VMotionEnabled $true
}

Creating an VMkernel Port for Fault Tolerance


In this case a .CSV file is configured with the unique IP addresses used for FT.


In this case cmdlet Add-VirtualSwitchPhysicalNetworkAdapter is used to enable the Fault Tolerance attribute on a portgroup called FT. Remember for FT to work the VMware ESX host must be part of VMware High-Availability enabled cluster.



Import-CSV vmhosts.csv | ForEach-Object {
$hostname = $_.vmhost
$FT = $_.ftIP

$vswitch0 = Get-VirtualSwitch -VMHost $hostname -Name vSwitch0
New-VMHostNetworkAdapter -VMHost $hostname -VirtualSwitch $vswitch0 -PortGroup FT -IP $FT -SubnetMask 255.255.255.0 -FaultToleranceLoggingEnabled $true
}





via VMware Blogs http://bit.ly/1pkn8HG

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.