Memory Tables
Table 1-4 Available vSphere Features
Available vSphere Features |
Description |
|---|---|
|
A feature introduced in vSphere 7.0 that enables you to back up and restore the vCenter Server Appliance instances. |
|
A feature that provides live virtual machine migrations with negligible disruption from a source ESXi host to a target ESXi host. |
|
A feature that provides automated failover protection for VMs against host, hardware, network, and guest OS issues. In the event of host system failure, it performs cold migrations and restarts failed VMs on surviving hosts. |
|
A feature that places and starts VMs on appropriate ESXi hosts and hot-migrates VMs using vMotion when there is contention for compute resources. |
|
A feature that performs live migrations with negligible disruption of VMs from a source datastore to a target datastore. |
|
A feature that provides automated live failover protection for VMs against host, hardware, network, and guest OS issues. |
|
A feature that optimizes power consumption in an ESXi cluster. |
|
A feature that minimizes VM downtime by proactively detecting hardware failures and placing the host in Quarantine Mode or Maintenance Mode. |
|
A centralized repository used to manage and distribute templates, ISO files, scripts, vApps, and other files associated with VMs. |
|
A feature that provides a means to apply a standard configuration to a set of ESXi hosts. |
Table 1-6 vCenter Server Editions
Feature |
Essentials |
Essentials Plus |
Foundation |
Standard |
|---|---|---|---|---|
Number of ESXi hosts |
3 (2 CPU max) |
3 (2 CPU max) |
|
2000 |
vCenter License |
Packaged with vSphere license in Essentials |
Packaged with vSphere license in Essentials Plus |
|
Sold separately from vSphere license |
Basic vCenter features, like single pane of glass management, Lifecycle Manager, and VMware Converter |
Supported |
Supported |
|
Supported |
Common vCenter features like vMotion, vSphere HA, and vSphere Replication |
Not supported |
Supported |
|
Supported |
Advanced features like vCenter Server High Availability (VCHA) and vCenter Server Backup and Restore |
N/A |
N/A |
|
Supported |
Table 1-10 Compute Specifications for vCenter Server Appliance
Component |
Number of CPUs |
Memory |
|---|---|---|
Tiny Environment Up to 10 hosts or 100 virtual machines |
|
|
Small Environment Up to 100 hosts or 1000 virtual machines |
|
|
Medium Environment Up to 400 hosts or 4000 virtual machines |
|
|
Large Environment Up to 1000 hosts or 10,000 virtual machines |
|
|
X-Large Environment Up to 2000 hosts or 35,000 virtual machines |
|
|
Table 1-11 Storage Sizes for vCenter Server Appliance
Deployment Size |
Default Storage Size |
Large Storage Size |
X-Large Storage Size |
|---|---|---|---|
Tiny |
|
1490 GB |
|
Small |
|
1535 GB |
|
Medium |
|
1700 GB |
|
Large |
|
1765 GB |
|
X-Large |
|
1905 GB |
|
Table 1-12 Required Ports for vCenter Sever
Protocol/Port |
Description |
Required for |
|---|---|---|
|
System port for SSHD |
vCenter Server (Must be open for upgrade of the appliance.) |
|
Port for direct HTTP connections; redirects requests to HTTPS port 443 |
vCenter Server |
|
Required to be open to join Active Directory |
vCenter Server |
|
LDAP port for directory services for the vCenter Server group |
vCenter Server to vCenter Server |
|
Default port used by vCenter Server to listen for connections from the vSphere Web Client and SDK clients |
vCenter Server to vCenter Server |
|
vSphere Syslog Collector port for vCenter Server and vSphere Syslog Service port for vCenter Server Appliance |
vCenter Server |
|
Default port that the vCenter Server system uses to send data to managed hosts |
vCenter Server |
|
vSphere Syslog Collector TLS port for vCenter Server |
vCenter Server |
|
Control interface RPC for Single Sign-On |
vCenter Server |
|
RPC port for VMware Certificate Authority (VMCA) APIs |
VMCA |
|
Authentication framework management |
vCenter Server |
|
vCenter Server Appliance Management Interface (VAMI) |
vCenter Server |
|
ESXi Dump Collector port |
vCenter Server |
|
Secure Token Service (internal ports) |
vCenter Server |
|
vSphere Client (internal ports) |
vCenter Server |
|
VMware vSphere Authentication Proxy |
vCenter Server |
|
vSphere Lifecycle Manager SOAP port used by vSphere Lifecycle Manager client plug-in |
vSphere Lifecycle Manager |
|
vSphere Lifecycle Manager Web Server Port used by ESXi hosts to access host patch files from vSphere Lifecycle Manager server |
vSphere Lifecycle Manager |
|
vSphere Lifecycle Manager Web SSL port used by vSphere Lifecycle Manager client plug-in for uploading host upgrade files to vSphere Lifecycle Manager server |
vSphere Lifecycle Manager |
|
vSphere Web Client HTTPS |
vCenter Server |
Table 2-2 Comparison of VMFS Version 5 and Version 6
VMFS Features and Functionalities |
Version 5 |
Version 6 |
|---|---|---|
Access for ESXi hosts Version 6.5 and later |
Yes |
Yes |
Access for ESXi hosts Version 6.0 and earlier |
Yes |
No |
Datastores per host |
512 |
512 |
512n storage devices |
Yes |
Yes (default) |
512e storage devices |
Yes (Not supported on local 512e devices.) |
|
4Kn storage devices |
No |
|
Automatic space reclamation |
No |
|
Manual space reclamation through the esxcli command. |
Yes |
|
Space reclamation from guest OS |
Limited |
|
GPT storage device partitioning |
Yes |
|
MBR storage device partitioning |
Yes For a VMFS5 datastore that has been previously upgraded from VMFS3. |
|
Storage devices greater than 2 TB for each VMFS extent |
Yes |
|
Support for virtual machines with large-capacity virtual disks, or disks greater than 2 TB |
Yes |
|
Support of small files (1 KB) |
Yes |
|
Default use of ATS-only locking mechanisms on storage devices that support ATS |
Yes |
|
Block size |
Standard 1 MB |
Standard 1 MB |
Default snapshots |
VMFSsparse for virtual disks smaller than 2 TB SEsparse for virtual disks larger than 2 TB |
SEsparse |
Virtual disk emulation type |
|
512n |
vMotion |
|
Yes |
Storage vMotion across different datastore types |
|
Yes |
High Availability and Fault Tolerance |
|
Yes |
DRS and Storage DRS |
|
Yes |
RDM |
|
Yes |
Table 2-4 Comparison of NFS Version 3 and Version 4.1 Support for vSphere Features and Solutions
NFS Features and Functionalities |
Version 3 |
Version 4.1 |
|---|---|---|
vMotion and Storage vMotion |
Yes |
Yes |
High Availability (HA) |
Yes |
Yes |
Fault Tolerance (FT) |
Yes |
Yes (Supports the new FT mechanism introduced in vSphere 6.0 that supports up to four vCPUs, not the legacy FT mechanism.) |
Distributed Resource Scheduler (DRS) |
Yes |
|
Host Profiles |
Yes |
|
Storage DRS |
Yes |
|
Storage I/O Control |
Yes |
|
Site Recovery Manager |
Yes |
|
Virtual Volumes |
Yes |
|
vSphere Replication |
Yes |
|
vRealize Operations Manager |
Yes |
|
Table 2-7 RAID Configuration Comparison
RAID Configuration |
PFTT |
Data Size |
Required Capacity |
Usable Capacity |
|---|---|---|---|---|
RAID 1 (mirroring) |
1 |
100 GB |
|
|
RAID 5 or RAID 6 (erasure coding) with four fault domains |
1 |
100 GB |
|
|
RAID 1 (mirroring) |
2 |
100 GB |
|
|
RAID 5 or RAID 6 (erasure coding) with six fault domains |
2 |
100 GB |
|
|
RAID 1 (mirroring) |
3 |
100 GB |
|
|
RAID 5 or RAID 6 (erasure coding) with six fault domains |
3 |
N/A |
|
|
Table 2-12 vSAN Storage Policies
Policy |
Description |
|---|---|
|
This policy defines how many host and device failures a VM object can withstand. For n failures tolerated, data is stored in n+1 location. (This includes parity copies with RAID 5 or 6.) If no storage policy is selected at the time of provisioning a VM, this policy is assigned by default. Where fault domains are used, 2n+1 fault domains, each with hosts adding to the capacity, are required. If an ESXi host isn’t in a fault domain, it is considered to be in a single-host fault domain. The default setting for this policy is 1, and the maximum is 3. |
|
In stretched clusters, this policy defines how many additional host failures can be tolerated after a site failure’s PFTT has been reached. If PFTT = 1, SFTT = 2, and one site is inaccessible, two more host failures can be tolerated. The default setting for this policy is 1, and the maximum is 3. |
|
If PFTT = 0, this option is available. The options for this policy are None, Preferred, and Secondary. This allows objects to be limited to one site or one host in stretched clusters. The default setting for this policy is None. |
|
This policy defines whether the data replication mechanism is optimized for performance or capacity. If RAID-1 (Mirroring)—Performance is selected, there will be more space consumed in the object placement but better performance for accessing the space. If RAID-5/6 (Erasure Coding)—Capacity is selected, there will be less disk utilization, but performance will be reduced. |
|
This policy determines the number of capacity devices where each VM object replica is striped. Setting this above 1 can improve performance but consumes more resources. The default setting for this policy is 1, and the maximum is 12. |
|
This policy defines the amount of flash capacity that is reserved for read caching of VM objects. This is defined as a percentage of the size of the VMDK. This is supported only in hybrid vSAN clusters. The default setting for this policy is 0%, and the maximum is 100%. |
|
If set to yes, this policy forces provisioning of objects, even when policies cannot be met. The default setting for this policy is no. |
|
This policy defines the percentage of VMDK objects that must be thick provisioned on deployment. The options are as follows:
|
|
A checksum is used end-to-end in validating the integrity of the data to ensure that data copies are the same as the original. In the event of a mismatch, incorrect data is overwritten. If this policy is set to yes, a checksum is not calculated. The default setting for this policy is no. |
|
This policy sets a limit for IOPS of an object. If set to 0, there is no limit. |
Table 3-2 Advantages and Disadvantages of IP Hash NIC Teaming
Advantages |
Disadvantages |
|---|---|
A more even distribution of the load compared to Route Based on Originating Virtual Port and Route Based on Source MAC Hash A potentially higher throughput for virtual machines that communicate with multiple IP addresses |
|
Table 3-3 Comparison of vSS and vDS Features
Feature |
vSS |
vDS |
|---|---|---|
Layer 2 switch |
|
|
VLAN segmentation (802.1q tagging) |
|
|
IPv6 support |
|
|
NIC teaming |
|
|
Outbound traffic shaping |
|
|
Cisco Discovery Protocol (CDP) |
|
|
Inbound traffic shaping |
|
|
VM network port block |
|
|
Private VLANs |
|
|
Load-based NIC teaming |
|
|
Data center–level management |
|
|
Network vMotion |
|
|
Per-port policy settings |
|
|
Port state monitoring |
|
|
NetFlow |
|
|
Port mirroring |
|
|
Table 3-4 vDS Health Checks
Health Check |
Required vDS Configuration |
|---|---|
Checks whether the VLAN trunk ranges on the distributed switch match the trunk port configuration on the connected physical switch ports. |
|
Checks for matching MTU settings on the distributed switch, the physical network adapter, and the physical switch ports. |
|
Checks whether the virtual switch teaming policy matches the physical switch port-channel settings. |
|
Table 3-5 SR-IOV Requirements
Component |
Requirements |
|---|---|
Physical host
|
|
Physical network adapter
|
|
Physical function (PF) driver in ESXi
|
|
Guest OS |
|
Virtual function (VF) driver in guest OS |
|
Table 4-4 Resource Pool Use Cases
Use Case |
Details |
|---|---|
Flexible hierarchical organization |
Add, remove, modify, and reorganize resource pools, as needed. |
Resource isolation |
Use resource pools to allocate resources to separate departments, in such a manner that changes in a pool do not unfairly impact other departments. |
|
|
|
|
Managing multitier applications. |
Manage the resources for a group of virtual machines (in a specific resource pool), which is easier than managing resources per virtual machine. |
Table 4-6 Virtual Machine Shares
Setting |
CPU Share Value |
Memory Share Value |
|---|---|---|
High |
|
|
Normal |
1000 per vCPU |
10 per MB |
Low |
|
|
Table 4-9 Advanced vSphere HA Options
Option |
Description |
|---|---|
das.isolationaddressX |
Provides the addresses to use to test for host isolation when no heartbeats are received from other hosts in the cluster. If this option is not specified (which is the default setting), the management network default gateway is used to test for isolation. To specify multiple addresses, you can set das.isolationaddressX, where X is a number between 0 and 9. |
|
Specifies whether to use the default gateway IP address for isolation tests. |
das.isolationshutdowntimeout |
For scenarios where the host’s isolation response is to shut down, specifies the period of time that the virtual machine is permitted to shut down before the system powers it off. |
|
Defines the maximum bound on the memory slot size. |
|
Defines the maximum bound on the CPU slot size. |
|
Defines the default memory resource value assigned to a virtual machine whose memory reservation is not specified or is zero. This is used for the Host Failures Cluster Tolerates admission control policy. |
|
Defines the default CPU resource value assigned to a virtual machine whose CPU reservation is not specified or is zero. This is used for the Host Failures Cluster Tolerates admission control policy. If no value is specified, the default of 32 MHz is used. |
das.heartbeatdsperhost |
Specifies the number of heartbeat datastores required per host. The default is 2. The acceptable values are 2 to 5. |
das.config.fdm.isolationPolicyDelaySec |
Specifies the number of seconds the system delays before executing the isolation policy after determining that a host is isolated. The minimum is 30. A lower value results in a 30-second delay. |
|
Determines whether vSphere HA should enforce VM–VM anti-affinity rules even when DRS is not enabled. |
Table 4-10 VM Monitoring Settings
Setting |
Failure Interval |
Reset Period |
|---|---|---|
High |
|
1 hour |
Medium |
|
24 hours |
Low |
|
7 days |
Table 5-2 Virtual Machine Files
|
Description |
|---|---|
|
Virtual machine configuration file |
|
Additional virtual machine configuration file |
|
Virtual disk characteristics (metadata) file |
|
Virtual disk data file (commonly called a flat file) |
|
Virtual machine BIOS or UEFI configuration file |
|
Virtual machine snapshot file |
|
Virtual machine snapshot data file |
|
Virtual machine swap file |
|
Virtual machine suspend file |
|
Current virtual machine log file |
|
Old virtual machine log file, where # is a number starting with 1 |
Table 5-4 Virtual Machine Options
Category |
Description |
|---|---|
General Options |
|
Encryption Options |
|
Power Management
|
|
VMware Tools |
Settings allow you to choose how to respond to specific power operations. For example, you can choose whether to power off the virtual machine or shut down the guest when the red power-off button is clicked. |
Virtualization Based Security (VBS) |
|
Boot Options |
|
Advanced Options
|
|
Fibre Channel NPIV |
Settings allow the virtual machine to use N_Port ID Virtualization (NPIV), including whether to generate new worldwide names (WWNs). |
vApp Options |
Settings allow you to control vApp functionality for the virtual machine, such as enable/disable and IP allocation policy. vApp settings that are made directly to a virtual machine override settings made on the vApp. |
Table 6-2 Required Permissions for the vCenter Cloud Account
Object |
Permissions |
|---|---|
Datastore
|
|
Datastore cluster |
|
Folder
|
|
Global
|
|
Network |
|
Permissions |
|
Resource
|
|
Content library |
|
|
|
Tags |
|
vApp |
|
Virtual machine inventory
|
|
Virtual machine interaction
|
|
Virtual machine configuration |
|
Virtual machine provisioning
|
|
Virtual machine state |
|
Table 6-3 Required vCenter Server Privileges for Horizon (without instant clones)
Privilege Group |
Privileges to Enable |
|---|---|
Folder
|
|
Datastore |
|
Virtual Machine
|
|
Resource |
|
Global |
|
Host (for Storage Accelerator)
|
|
Profile Driven Storage (for vSAN or Virtual Volumes) |
|
Table 6-5 VMware HCX Services
Service |
License |
Description |
|---|---|---|
|
Advanced |
Creates secured connections between HCX instances, supporting migration, replication, disaster recovery, and management operations. Deployed as a virtual appliance. |
|
Advanced |
Optimizes the performance of the connection provided by HCX Interconnect through a combination of deduplication, compression, and line conditioning techniques. Deployed as a virtual appliance. |
|
Advanced |
Extends (that is, provides Layer 2 adjacency) the virtual machine networks between source and remote HCX-enabled environments. Deployed as a virtual appliance. |
|
Advanced |
Migrates a set of virtual machines using VMware vSphere Replication in parallel between HCX-enabled sites. |
|
Advanced |
Migrates a single virtual machine between HCX-enabled sites with no service interruption, using vMotion. |
|
Advanced |
Protects virtual machines from disaster by using replication and recovery. |
|
Enterprise |
Allows you to group virtual machines by application, network, or other aspects for migration and monitoring. |
|
Enterprise |
Leverages HCX Sentinel software in the guest OS to migrate Windows and Linux virtual machines to a vSphere-enabled data center. Uses a gateway appliance at the source and a receiver appliance at the destination. |
|
Enterprise |
Migrates a set of virtual machines in parallel, using VMware vSphere Replication and vMotion between HCX-enabled sites with no service interruption. |
|
Enterprise |
Integrates HCX functionality with the VMware SRM for protection and orchestrated recovery operations. |
|
Enterprise |
Optimizes network traffic for HCX Interconnect and Network Extension services. The Application Path Resiliency service creates multiple tunnel flows for both Interconnect and Network Extension traffic. The TCP Flow Conditioning service adjusts and optimizes the segment size to reduce fragmentation and reduce the overall packet rate. |
|
Enterprise |
Integrates HCX Network Extension with NSX Dynamic Routing to enable optimal networking between migrated virtual machines and other virtual machines. Works with new or existing network extensions to NSX-T 3.0 Data Center. |
Table 7-2 Core Identity Services in vSphere
Service |
Description |
|---|---|
|
Serves as an identity source that handles SAML certificate management for authentication with vCenter Single Sign-On. |
|
Issues certificates for VMware solution users, machine certificates for machines on which services are running, and ESXi host certificates. VMCA can be used as is, or it can be used as an intermediary certificate authority. |
|
Includes VMware Endpoint Certificate Store (VECS) and several internal authentication services. |
Table 7-6 Certificates in vSphere
Certificate |
Provisioned |
Details |
|---|---|---|
ESXi certificate |
|
Stored locally on an ESXi host in the /etc/vmware/ssl directory when the host is first added to vCenter Server and when it reconnects. |
Machine SSL certificate |
|
Stored in VECS. Used to create SSL sockets for SSL client connections, for server verification, and for secure communication such as HTTPS and LDAPS. Used by the reverse proxy service, the vCenter Server service (vpxd), and the VMware Directory service (vmdir). Uses X.509 Version 3 certificates to encrypt session information. |
Solution user certificate |
|
Stored in VECS. Used by solution users to authenticate to vCenter Single Sign-On through SAML token exchange. |
vCenter Single Sign-On SSL signing certificate |
|
Used throughout vSphere for authentication, where a SAML token represents the user’s identity and contains group membership information. You can manage this certificate from the command line. Changing this certificate in the file system leads to unpredictable behavior. |
VMware Directory Service (vmdir) SSL certificate |
|
Starting with vSphere 6.5, the machine SSL certificate is used as the vmdir certificate. |
vSphere Virtual Machine Encryption Certificates |
|
Used for virtual machine encryption, which relies on an external key management server (KMS). Depending on how the solution authenticates to the KMS, it might generate certificates and store them in VECS. |
Table 7-9 System Roles in vCenter Server 7.0
System Role |
Description |
|---|---|
Read-only |
Allows the user to view the state of an object and details about the object. For example, users with this role can view virtual machine attributes but cannot open the VM console. |
Administrator |
Includes all privileges of the read-only role and allows the user to view and perform all actions on the object. If you have the administrator role on an object, you can assign privileges to individual users and groups. If you have the administrator role in vCenter Server, you can assign privileges to users and groups in the default SSO identity source. By default, the administrator@vsphere.local user has the administrator role on both vCenter Single Sign-On and vCenter Server. |
No access |
Prevents users from viewing or interacting with the object. New users and groups are effectively assigned this role by default. |
No cryptography administrator |
Includes all privileges of the administrator role, except for cryptographic operations privileges. This role allows administrators to designate users who can perform all administrative tasks except encrypting or decrypting virtual machines or accessing encrypted data. |
Trusted infrastructure administrator role |
Allows users to perform VMware vSphere Trust Authority operations on some objects. Membership in the TrustedAdmins group is required for full vSphere Trust Authority capabilities. |
Table 7-10 Required Permissions for Common Tasks
Task |
Required Privileges |
|---|---|
Create a virtual machine
|
|
Deploy a virtual machine from a template |
On the destination folder or in the data center:
On a template or in a template folder:
On the destination host or cluster or in the resource pool:
On the destination datastore or in a datastore folder:
On the network that the virtual machine will be assigned to:
|
Take a virtual machine snapshot |
On the virtual machine or in a virtual machine folder:
On the destination datastore or in a datastore folder:
|
Move a virtual machine into a resource pool |
On the virtual machine or in a virtual machine folder:
In the destination resource pool:
|
Install a guest operating system on a virtual machine |
On the virtual machine or in a virtual machine folder:
|
|
On a datastore containing the installation media ISO image:
On the datastore to which you upload the installation media ISO image:
|
Migrate a virtual machine with vMotion
|
|
Cold migrate (relocate) a virtual machine
|
|
Migrate a virtual machine with Storage vMotion |
On the virtual machine or in a virtual machine folder:
On the destination datastore:
|
Move a host into a cluster |
On the host:
On the destination cluster:
|
Table 7-11 ESXi Security Profile Services
Service |
Default State |
Description |
|---|---|---|
Direct Console User Interface (DCUI) |
|
Allows you to interact with an ESXi host from the local console host using text-based menus |
ESXi Shell |
|
Is available from the DCUI or from SSH |
SSH |
|
Allows remote connections through Secure Shell |
Load-Based Teaming Daemon |
|
Enables load-based teaming |
attestd |
|
Enables the vSphere Trust Authority Attestation Service |
kmxd |
|
Enables the vSphere Trust Authority Key Provider Service |
Active Directory Service |
|
Is started on hosts after you configure ESXi for Active Directory |
NTP Daemon |
|
Enables the Network Time Protocol daemon |
PC/SC Smart Card Daemon |
|
Is started on hosts after you enable the host for smart card authentication |
CIM Server |
|
Can be used by Common Information Model (CIM) applications |
SNMP Server |
|
Enables the SNMP daemon |
Syslog Server |
|
Enables the syslog daemon |
VMware vCenter Agent (vpxa) |
|
Connects the host to vCenter Server |
X.Org Server |
|
Internally used for virtual machine 3D graphics |
Table 7-12 Incoming and Outgoing Firewall Ports
Firewall Service |
Incoming Port(s) |
Outgoing Port(s) |
|---|---|---|
CIM Server |
5988 (TCP) |
|
CIM Secure Server |
5989 (TCP) |
|
CIM SLP |
427 (TCP,UDP) |
427 (TCP,UDP) |
DHCPv6 |
546 (TCP,UDP) |
547 (TCP,UDP) |
DVSSync |
8301, 8302 (UDP) |
8301, 8302 (UDP) |
HBR |
|
44046, 31031 (TCP) |
NFC |
902 (TCP) |
902 (TCP) |
WOL |
|
9 (UDP) |
vSAN Clustering |
12345, 23451 (UDP) |
12345, 23451 (UDP) |
DCHP Client |
68 (UDP) |
68 (UDP) |
DNS Client |
53 (UDP) |
53 (TCP,UDP) |
Fault Tolerance |
|
|
NSX Distributed Logical Router Service |
6999 (UDP) |
6999 (UDP) |
Software iSCSI Client |
|
3260 (TCP) |
rabbitmqproxy |
|
5671 (TCP) |
vSAN Transport |
|
|
SNMP Server |
161 (UDP) |
|
SSH Server |
22 (TCP) |
|
vMotion |
|
|
VMware vCenter Agent |
|
902 (UDP) |
vSphere Web Access |
|
|
vsanvp |
8080 (TCP) |
8080 (TCP) |
RFB Protocol |
5900–5964 (TCP) |
|
vSphere Life Cycle Manager |
|
|
I/O Filter |
9080 (TCP) |
|
Table 7-14 Network Security Policies
Option |
Setting |
Description |
|---|---|---|
|
|
The virtual switch forwards all frames to the virtual network adapter. |
|
The virtual switch forwards only the frames that are addressed to the virtual network adapter. |
|
|
If the guest operating system changes the effective MAC address of the virtual adapter to a value that differs from the MAC address assigned to the adapter in the VMX file, the virtual switch allows the inbound frame to pass. |
|
|
If the guest operating system changes the effective MAC address of the virtual adapter to a value that differs from the MAC address assigned to the adapter in the VMX file, the virtual switch drops all inbound frames to the adapter. If the guest OS changes the MAC address back to its original value, the virtual switch stops dropping the frames and allows inbound traffic to the adapter. |
|
|
|
The virtual switch does not filter outbound frames. It permits all outbound frames, regardless of the source MAC address. |
|
The virtual switch drops any outbound frame from a virtual machine virtual adapter that uses a source MAC address that differs from the MAC address assigned to the virtual adapter in the VMX file. |
Table 8-2 Information Required for ESXi Installation
Information |
Required or Optional |
Details |
|---|---|---|
Keyboard layout |
Required |
|
VLAN ID
|
Optional
|
|
IP address |
Optional |
|
Subnet mask
|
Optional
|
|
Gateway
|
Optional
|
|
Primary DNS
|
Optional
|
|
Secondary DNS |
Optional |
|
Host name |
Required for static IP settings |
|
Install location
|
Required
|
|
Migrate existing ESXi settings; preserve VMFS datastore |
Required if you are installing ESXi on a drive with an existing ESXi installation |
|
Root password
|
Required
|
|
Table 8-5 Auto Deploy Components
Component |
Description/Purpose |
|---|---|
|
Uses a rules engine, a set of images, a set of host profiles, and required infrastructure to manage ESXi deployments. |
|
Assigns image profiles and host profiles to each host. |
|
Defines host-specific configurations, such as networking, NTP, and host permissions. You can use host customization in conjunction with host profiles to provide details that are unique to each host, such as IP address. |
|
Servers as a command-line engine for driving Auto Deploy. |
|
Servers as a command-line engine for building images. |
|
Manages the vSphere inventory and provides host profiles. |
|
Provides IP configuration to the host and redirects the host to the PXE server. |
|
Boots the host and directs it to the TFTP server. |
|
Provides the appropriate boot image. |
|
Holds a collection of VIBs either online (accessible via HTTP) or offline (accessible via a USB drive or CD/DVD). |
|
Holds a collection of VIBs used to install the ESXi server and saved as ZIP files or ISO images. You can obtain image profiles from VMware and VMware partners, and you can create custom image profiles by using ESXi Image Builder. |
|
Packages a collection of files (such as drivers) into an archive similar to a ZIP file. Each VIB is released with an acceptance level that cannot be changed. The host acceptance level assigned to each host determines which VIBs can be installed to the host. These are the acceptance levels, from highest to lowest:
|
Table 8-9 VECS Stores
Store |
Description |
|---|---|
|
Used by the reverse proxy service on each ESXi host and by the vmdir service. |
|
Contains all trusted root certificates.
|
Solution user stores:
|
VECS includes one store for each solution user. |
|
Used by VMCA to support certificate reversion.
|
Other stores |
Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. |
The SSO domain contains many predefined groups, including the following:
Users: This group contains all users in the SSO domain.
____________: Members of this group can perform domain controller administrator actions on VMware Directory Service.
____________: Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly.
____________: Members have administrator privileges for VMCA. Adding members to these groups is not usually recommended, but a user must be a member of this group to perform most certificate management operations, such as using the certool command.
SystemConfiguration.BashShellAdministrators: Members can enable and disable access to the BASH Shell.
____________: Members can view and manage the system configuration and perform tasks such as restarting services.
____________: Members have full write access to all licensing-related data and can add, remove, assign, and un-assign serial keys for all product assets registered in licensing service.
____________: Members can perform SSO administration tasks for VMware Directory Service (vmdir).
Table 8-10 SSO Policies and Parameters
SSO Policy Parameter |
Policy Setting |
Details |
|---|---|---|
Password Policy |
Description |
Password policy description. |
|
Maximum number of days a password can exist before the user must change it. |
|
|
Number of the user’s previous passwords that cannot be selected. |
|
|
Maximum number of characters that are allowed in the password. |
|
|
Minimum number of characters that are allowed in the password, which must be no fewer than the combined minimum of alphabetic, numeric, and special character requirements. |
|
|
Minimum number of different character types that are required in the password. The types include special, alphabetic, uppercase, lowercase, and numeric. |
|
Identical adjacent characters |
The number of identical adjacent characters that are supported in a password. The value must be greater than 0. |
|
Lockout Policy |
Description |
Description of the lockout policy. |
|
Maximum number of failed login attempts that are allowed before the account is locked. |
|
|
Time period in which failed login attempts must occur to trigger a lockout. |
|
Unlock time |
The amount of time the account stays locked. The value 0 specifies that an administrator must explicitly unlock the account. |
|
Token Policy |
|
Time difference, in milliseconds, that SSO tolerates between a client clock and a domain controller clock. If the time difference is greater than the specified value, SSO declares the token to be invalid. |
|
Maximum number of times a token may be renewed before a new security token is required. |
|
|
Maximum number of times a single holder-of-key token can be delegated. |
|
|
The lifetime value of a bearer token before the token must be reissued. |
|
Maximum holder-of-key token lifetime |
The lifetime value of a holder-of-key token before the token is marked invalid. |
Table 8-11 ESXi 7.0 Kernel Options
Kernel Option |
Description |
|---|---|
autoPartition=TRUE/FALSE (default FALSE) |
This option, if set to TRUE, defines automatic partitioning of the unused local storage devices at boot time. The boot disk gets partitioned with boot bands, ESXi-OSData, and, if the disk is larger than 128 GB, a VMFS partition. Any new empty device discovered will be auto-partitioned as well. Auto-partitioning can be set for only the first unused device with the setting autoPartitionOnlyOnceAndSkipSsd=TRUE. On hosts with USB boot and VMFS-L, ESX-OSData does not exist on other local disks. If a storage device has both a scratch partition and a coredump partition, the scratch partition is converted to ESX-OSData; otherwise, the first unused disk identified is partitioned with ESX-OSData as well. |
|
If this option is set to TRUE, local SSDs are excluded from automatic partitioning. |
|
If this option is set to TRUE, SSD/NVMe devices are excluded, and the ESXi host automatically partitions the first unused local disk if there is no VMFS-L ESX-OSData volume. |
|
If this option is set to TRUE, ESXi can write kernel crash coredumps to the VMFS-L Locker volume on a USB boot device. |
|
This option sets the size of the coredump file (in megabytes) created on the system VMFS-L volume. This is limited to one-half of the space available on the VMFS-L volume. |
|
This option, when set to TRUE, automatically creates a coredump file. This is attempted in the following order:
|
Table 9-2 VLAN ID Details
VLAN ID |
VLAN Tagging Mode |
Description |
|---|---|---|
|
|
The virtual switch does not pass traffic associated with a VLAN. |
|
|
The virtual switch tags traffic with the entered tag. |
|
|
Virtual machines handle VLANs. The virtual switch passes traffic from any VLAN. |
Enhanced LACP support for vDS supports the following load-balancing modes (hashing algorithms):
Destination IP address
Destination IP address and TCP/UDP port
Destination IP address and VLAN
Destination IP address, TCP/UDP port, and VLAN
Destination MAC address
Destination TCP/UDP port
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
_____________________________
VLAN
Table 10-4 Performance Chart Types
Chart Type |
Description |
Example |
|---|---|---|
Line chart |
Displays metrics for a single inventory object, where data for each metric is represented by a separate line. |
For example, Aa network chart for a host can contain one line showing the number of packets received and another line showing the number of packets transmitted. |
|
Displays metrics for objects, where each bar represents metrics for an object. |
A bar chart can display metrics for datastores, where each datastore is represented as a bar. Each bar displays metrics based on the file type, such as virtual disk or snapshot. |
|
Displays metrics for a single object, where each slice represents a category or child object. |
A datastore pie chart can display the amount of storage space occupied by each virtual machine or by each file type. |
|
Displays metrics for child objects. |
A host’s stacked CPU usage chart displays metrics for the 10 virtual machines on the host that are consuming the most CPU. The Other amount displays the total CPU usage of the remaining virtual machines. |
Table 10-6 CPU Performance Analysis
Symptoms |
Likely Causes |
Potential Solutions |
|---|---|---|
Host: CPU usage is consistently high. Virtual machine: CPU usage is above 90%. CPU ready is above 20%. Application performance is poor. |
The host has insufficient CPU resources to meet the demand. Too many virtual CPUs are running on the host. Storage or network operations are placing the CPU in a wait state. The guest OS generates too much load for the CPU. |
Add the host to a DRS cluster. Increase the number of hosts in the DRS cluster. Migrate one or more virtual machines to other hosts. Upgrade the physical CPUs of the host. Upgrade ESXi to the latest version. Enable CPU-saving features such as TCP segmentation offload, large memory pages, and jumbo frames. Increase the amount of memory allocated to the virtual machines, which may improve cached I/O and reduce CPU utilization. Reduce the number of virtual CPUs assigned to virtual machines. Ensure that VMware Tools is installed. Compare the CPU usage of troubled virtual machines with that of other virtual machines on the host or in the resource pool. (Hint: Use a stacked graph.) Increase the CPU limit, shares, or reservation on the troubled virtual machine. |
Host: Memory usage is consistently 94% or higher. Free memory is 6% or less. Virtual machine: Swapping is occurring. (Memory usage may be high or low.) |
The host has insufficient memory resources to meet the demand. |
Ensure that VMware Tools is installed and that the balloon driver is enabled for all virtual machines. Reduce the memory size on oversized virtual machines. Reduce the memory reservation of virtual machines where it is set higher than needed. Add the host to a DRS cluster. Increase the number of hosts in the DRS cluster. Migrate one or more virtual machines to other hosts. Add physical memory to the host. |
Virtual machine: Memory usage is high. Guest OS: Memory usage is high. Paging is occurring. |
The guest OS is not provided sufficient memory by the virtual machine. |
Increase the memory size of the virtual machine. |
Virtual machine: CPU ready is low. Guest OS: CPU utilization is high.
|
|
|
Datastore: Space utilization is high. |
|
|
|
|
|
Disk: Device latency is greater than 15 ms. |
|
|
Disk: VMkernel latency is greater than 4 ms. Queue latency is greater than zero. |
The maximum throughput of a storage device is not sufficient to meet the demand of the current workload. |
Migrate the virtual machines to datastores backed by storage devices (LUNs) with more spindles. Balance virtual machines and their disk I/O across the available physical resources. Use Storage DRS I/O balancing. Add more disks (spindles) to the storage device backing the datastore. Configure the queue depth and cache settings on the RAID controllers. Adjust the Disk.SchedNumReqOutstanding parameter. Configure multipathing. Increase the memory size of the virtual machine to eliminate any guest OS paging. Increase the guest OS caching of disk I/O. Ensure that no virtual machine swapping or ballooning is occurring. Defragment guest file systems. Use eager zeroed thick provisioned virtual disks. |
Network: The number of packets dropped is greater than zero. Latency is high. The transfer rate is low. |
The maximum throughput of a physical network adapter is not sufficient to meet the demand of the current workload. Virtual machine network resource shares are too few. Network packet size is too large, which results in high network latency. Use the VMware AppSpeed performance monitoring application or a third-party application to check network latency. Network packet size is too small, which increases the demand for the CPU resources needed for processing each packet. Host CPU, or possibly virtual machine CPU, resources are not enough to handle the load. |
Install VMware Tools on each virtual machine and configure the guest OS to use the best-performing network adapter driver (such as vmxnet3). Migrate virtual machines to other hosts or to other physical network adapters. Verify that all NICs are running in full duplex mode. Implement TCP Segmentation Offload (TSO) and jumbo frames. Assign additional physical adapters as uplinks for the associated port groups. Replace physical network adapters with high-bandwidth adapters. Place sets of virtual machines that communicate with each other regularly on the same ESXi host. |
Performance charts are empty. |
Some metrics are not available for pre-ESXi 5.0 hosts. Data is deleted when you remove objects to vCenter Server or remove them. Performance chart data for inventory objects that were moved to a new site by VMware vCenter Site Recovery Manager is deleted from the old site and not copied to the new site. Performance chart data is deleted when you use VMware vMotion across vCenter Server instances. Real-time statistics are not available for disconnected hosts or powered-off virtual machines. Non-real-time statics are rolled up at specific intervals. For example, 1-day statistics might not be available for 30 minutes after the current time, depending on when the sample period began. The 1-day statistics are rolled up to create one data point every 30 minutes. If a delay occurs in the roll-up operation, the 1-week statistics might not be available for 1 hour after the current time. It takes 30 minutes for the 1-week collection interval, plus 30 minutes for the 1-day collection interval. The 1-week statistics are rolled up to create one data point every two hours. If a delay occurs in the roll-up operations, the 1-month statistics might not be available for 3 hours. It takes 2 hours for the 1-month collection interval, plus 1 hour for the 1-week collection interval. The 1-month statistics are rolled up to create one data point every day. If a delay occurs in the roll-up operations, the statistics might not be available for 1 day and 3 hours. It takes 1 day for the past year collection interval, plus 3 hours for the past month collection interval. During this time, the charts are empty. |
Upgrade hosts to a later version of ESXi. Allow time for data collection on objects that were recently added, migrated, or recovered to the vCenter Server. Power on all hosts and allow time for real-time statistics to collect. Allow time for the required roll-ups for non-real-time statistics. |
Table 10-9 Key ESXTOP Panels and Metrics
Panel |
Statistic |
Description |
|---|---|---|
CPU |
|
Percentage of physical CPU core cycles used by the virtual machine. |
CPU |
|
Percentage of total time scheduled for the virtual machine without accounting for hyperthreading, system time, co-stopping, and waiting: %RUN = 100% – %RDY – %CSTP – %WAIT |
CPU |
|
Percentage of time the virtual machine was ready to run but was not provided CPU resources on which to execute. Indicator of CPU contention on the host. |
CPU |
|
Percentage of time the virtual machine spent in the blocked or busy wait state, including idle time. %WAIT includes %SWPWT. |
CPU |
|
Percentage of time a virtual machine spends in a ready, co-deschedule state. A high value indicates that the virtual machine’s multiple CPUs are in contention. |
CPU |
|
Percentage of time a virtual machine spends waiting for the host to swap memory. |
Memory |
|
Amount of physical memory allocated to a virtual machine: MEMSZ = GRANT + MCTLSZ + SWCUR + “Never Touched” |
Memory |
|
Amount of guest physical memory mapped to a virtual machine |
Memory |
|
Amount of the memory consumed by the virtual machine: CNSM = GRANT – Shared Memory |
Memory |
|
Amount of memory swapped by the virtual machine. |
Memory |
|
Rate at which the host swaps in memory from disk for the virtual machine. |
Memory |
|
Amount of memory used for virtual machine overhead, which is memory charged to the virtual machine that is not used by the guest OS. |
Virtual Machine Storage |
|
Number of read commands issued per second. |
Virtual Machine Storage |
|
Number of write commands issued per second. |
Virtual Machine Storage |
|
Megabytes read per second. |
Virtual Machine Storage |
|
Average latency (in milliseconds) per read. |
Network |
|
Number of packets received per second. |
Network |
|
Megabits transmitted per second. |
Network |
|
Percentage of transmit packets dropped. Indicates that the physical network adapter cannot meet the demand, perhaps due to load from other virtual machines. |
Network |
|
Percentage of receive packets dropped. Indicates that insufficient CPU resources are available for network processing. |
Table 10-13 ESXi Log Files
Component |
Location |
Description |
|---|---|---|
VMkernel |
|
Data related to virtual machines and ESXi |
VMkernel warnings |
|
Data related to virtual machines |
VMkernel summary |
|
Data related to uptime and availability statistics for ESXi |
ESXi host agent |
|
Data related to the agent that manages and configures the ESXi host and its virtual machines |
vCenter agent |
|
Data related to the agent that communicates with vCenter Server |
ESXi Shell |
|
Data related to each command typed into the ESXi Shell as well as shell events |
Authentication |
|
Data related to event authentication for the local system |
System messages |
|
General log messages that can be used for troubleshooting |
Virtual machines |
|
Data related to virtual machine power events, system failure information, tool status and activity, time sync, virtual hardware changes, vMotion migrations, machine clones, and more |
Trusted infrastructure agent |
/var/run/log/kmxa.log |
Data related to the client service on the ESXi trusted host |
Key provider service |
/var/run/log/kmxd.log |
Data related to the vSphere Trust Authority key provider service |
Attestation service |
/var/run/log/attestd.log |
Data related to the vSphere Trust Authority attestation service |
ESX token service |
/var/run/log/esxtokend.log |
Data related to the vSphere Trust Authority ESXi token service |
ESX API forwarder |
/var/run/log/esxapiadapter.log |
Data related to the vSphere Trust Authority API forwarder |
Quick Boot |
/var/log/loadESX.log |
Data related to restarting an ESXi host through Quick Boot |
Table 10-14 vCenter Server Logging Options
Logging Option |
Description |
|---|---|
|
No vCenter Server logging occurs.
|
|
The vCenter Server collects only error entries in its log files. |
|
The vCenter Server collects warning and error entries in its log files.
|
|
The vCenter Server collects information, warning, and error entries in its log files. |
|
The vCenter Server collects verbose, information, warning, and error entries in its log files. |
|
The vCenter Server collects trivia, verbose, information, warning, and error entries in its log files. |
Table 11-2 Network Differences in vSAN and non-vSAN Clusters
Factor |
vSAN Is Enabled |
vSAN Is Not Enabled |
|---|---|---|
Network used by vSphere HA |
|
Management network |
Heartbeat datastores |
|
Any datastore that is mounted to multiple hosts in the cluster
|
Host isolation criteria |
|
Isolation addresses not pingable and management network inaccessible
|
Table 11-4 Datastore Browser Options
Option |
Description |
|---|---|
|
Upload a local file to the datastore. |
|
Upload a local folder to the datastore. |
|
Download a file from the datastore to the local machine. |
|
Create a folder on the datastore. |
|
Copy selected folders or files to a new location on the datastore or on another datastore. |
|
Move selected folders or files to a new location on the datastore or on another datastore. |
|
Rename selected files. |
|
Delete selected folders or files. |
|
Convert a selected thin virtual disk to thick. |
Table 11-5 Storage Filters
Filter |
Description |
|---|---|
|
Hides storage devices (LUNs) that are used by a VMFS datastore on any host managed by vCenter Server.
|
|
Hides storage devices (LUNs) that are used by an RDM on any host managed by vCenter Server.
|
|
Hides storage devices (LUNs) that are ineligible for use as VMFS datastore extents because of incompatibility with the selected datastore. Hides LUNs that are not exposed to all hosts that share the original datastore. Hides LUNs that use a storage type (such as Fibre Channel, iSCSI, or local) that is different from the original datastore. |
|
Automatically rescans and updates VMFS datastores following datastore management operations. If you present a new LUN to a host or a cluster, the hosts automatically perform a rescan, regardless of this setting. |
Table 11-7 SCSI over Fabric and NVMe over Fabric Comparison
Shared Storage Capability |
SCSI over Fabric |
NVMe over Fabric |
|---|---|---|
RDM |
Supported |
|
Coredump |
Supported |
|
SCSI-2 reservations |
Supported |
|
Shared VMDK |
Supported |
|
vVols |
Supported |
|
Hardware acceleration with VAAI plug-ins |
Supported |
|
Default MPP |
NMP |
|
Limits |
LUNs=1024, paths=4096 |
|
Table 12-2 Sample ESXCLI Commands
Command |
Description |
|---|---|
esxcli system account add |
Creates an ESXi host local user account |
|
Configures an ESXi host local user account |
esxcli system account list |
Lists ESXi host local user accounts |
esxcli system account remove |
Deletes an ESXi host local user accounts |
|
Lists the host’s DNS servers |
|
Lists the ESXi host’s physical network adapters |
Displays the shell interactive timeout for the host
|
Table 12-4 ESXi Lockdown Mode Behavior
Service |
Normal Mode |
Normal Lockdown Mode |
Strict Lockdown Mode |
|---|---|---|---|
vSphere Web Services API |
All users, based on permissions |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
CIM providers |
Users with administrator privileges on the host |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
vCenter (vpxuser) Exception users, based on permissions vCloud Director (vslauser, if available) |
DCUI |
|
|
|
ESXi Shell (if enabled)
|
|
|
|
SSH (if enabled)
|
|
|
|
Table 13-4 Lifecycle Manager Definitions
Term |
Definition |
|---|---|
|
A software release that makes small changes to the current version, such as vSphere 7.0 Update 1, 7.0 Update 2, and so on. |
|
A software release that introduces major changes to the software. For example, you can upgrade from vSphere 6.5 to 6.7 and 7.0. |
|
A small software update that provides bug fixes or enhancements to the current version of the software, such as 7.0a, 7.0 Update 1a, and so on. |
|
The smallest installable software package (metadata and binary payload) for ESXi. |
|
An XML file that describes the contents of the VIB, including dependency information, textual descriptions, system requirements, and information about bulletins. |
|
A VIB that is not included in a component. |
|
The hosted version of updates provided by VMware, OEMs, and third-party software vendors, containing the metadata and the actual VIBs. |
|
An archive (ZIP file) that contains VIBs and metadata that you use for offline patching and updates. A single offline bundle might contain multiple base images, vendor add-ons, or components. |
|
A VMware partner, such as Dell, HPE, or VMware Cloud on AWS.
|
|
A provider of I/O filters, device drivers, CIM modules, and so on.
|
Table 13-8 Collection Intervals
Collection Interval (Archive Length) |
Collection Frequency |
Default Behavior |
|---|---|---|
1 day |
|
|
1 week |
|
|
1 month |
|
|
1 year |
|
|