Isolate your HP BladeSystem Management traffic with VLANs

A few weeks ago HP released a major update to their onboard administrator, the brains behind the HP C-Class chassis. Previously all of the iLOs (lights-out remote management processor) and all of the interconnect modules needed to be on the same VLAN. If a single chassis had both test/dev and production environments, or two different security boundaries, you ran into problems.

With v3.00 of the OnBoard Administrator, you can now individually set the VLAN ID for each and every iLO and interconnect. The trick is to configure your upstream switch for trunking into the OnBoard Admin. You can now have test/dev and production servers in the same enclosure, and assign iLOs to their proper VLAN. Seems like a simple concept, but it’s a brand new feature.

You can download the OA v3.00 firmware here.

HP BladeSystem Technical Resources

HP really makes it hard to find all of the relevant documentation for their various products. But tonight I stumbled upon a link for all of their BladeSystem documentation. It has quick specs, customer advisories, support docs, quick install docs, and user guides. A cornucopia of documentation for geeky people!

It covers every widget imaginable for the BladeSystem including enclosures, servers, storage blades, workstation blades, virtual connect, mezzanine cards, interconnects, pass-thrus, and iLO.

Check out the “HP BladeSystem Technical Resources” link here.

New Nexus 1000v Release Notes and updated VEM

A few weeks ago Cisco revised their release notes for the Nexus 1000v 4.0(4)SV1(2) version. This is not a new version of the 1000v VSM appliance, just updated documentation. The updates clarify limitations with vMotion, VMware Lab Manager, ACL limitations, and NetFlow limitations. You can check out the new release notes here.

The good news in the revised notes is that vMotion of the VSM is now fully supported. However, you don’t want both the active and standby VSM on the same physical ESX host. Makes sense!

Cisco has released an updated 1000v download package, which appears to have an updated VEM component. The VSM component remains unchanged since the original 4.0(4)SV1(2) release.

VEM v110-

You can download the updated installer package here. If you just want to download the latest VEM, you can get it from VMware here and selecting VEM from the drop-down. VEMs seem to get updated in conjunction with each new public build of ESX(i).

HP Insight Control Software Updates

For those HP customers that are using the wide variety of Insight Control products, HP and recently released updates in March and April of this year. Updates include:

Insight Control Server Deployment 6.1 that includes Altiris 6.9 SP4 (April 2010)
HP Systems Insight Manager (SIM) 6.0 (March 2010)
HP Insight Control for Microsoft Systems Center 6.0
HP Insight Control for VMware vCenter server 6.0.1 (April 2010)

For more details on these downloads, see this link. For documentation on these products, release notes and support matrixes, see this link.

vSphere, HP Flex-10/Virtual Connect, and Cisco Nexus resources

I’m smack dab in the middle of designing a robust deployment of VMware vSphere using HP C-class blade chassis, HP Flex-10/Virtual Connect modules, and Cisco Nexus hardware and virtual switches (5000 and 1000v, respectively). This is a pretty forward leaning architecture and fairly complicated. After plowing through a ton of resources to help cement in my mind what I’m doing, I thought I’d share some resources that really helped me.

As my design starts to take shape, I’ll share more of my experiences. First, trying to find documents on HP’s web site is a real PITA. In order of helpfulness, here are a few links for HP Virtual Connect resources. The first one is really killer and got me focused on what I’m trying to accomplish.

HP Virtual Connect Ethernet Cookbook: Single and Multi Enclosure Domain (stacked) Scenarios.
— Note: Scenario 3:2 was perfect for my environment and really shed some light on what I was trying to do. Using mapped shared uplink set (SUS) fit exactly what I wanted to do.

HP BladeSystem Reference Architecture: Virtual Connect Flex-10 and VMware vSphere 4.0

Virtual Connect Multi-Enclosure Stacking Reference Guide

HP Virtual Connect for the Cisco Network Administrator

HP Virtual Connect 2.30 User Guide

If you will be using Cisco Nexus hardware switches in your architecture, be sure to check out the NX-OS vPC feature. This can increase availability and system throughput by enabling LACP across two phyiscal switches.

Virtual PortChannels: Building Networks without Spanning Tree Protocol

Virtual PortChannel Quick Configuration Guide

For additional Cisco documentation, check out my previous blog post.

My advice is first figure out whether you want to use Virtual Connect in mapped mode or trunked mode. That will determine the rest of your design. Check out my first link for the best material to help make that decision. After you make that determination, the rest of the solution starts to fall in place.

New VMware Certifications announced!

I’m pretty excited about the newly announced VMware exams. VMware had a big gap between their VCP entry level certification at the mother of all daddy certifications, the VCDX. The two new exams are:

VMware Certified Advanced Professional – Enterprise Admin
VMware Certified Advanced Professional – Design

Having a VCP 4.0 is required to take these tests, but there are no additional course requirements. So you if you are brave, you can study for them on your own and try to pass the test. Of course VMware wants your money too, so they have four new optional classes to help you prepare for the exams.

The enterprise admin certification has three prep classes: vSphere Manage for Performance, vSPhere Troubleshooting, and vSphere Manage and Design for Security. If you more a design geek they are offering vSphere: Design Workshop.

More details will be available in May, with tests coming online a couple of months after. So by mid-summer you can start taking the VCAP exams. I think this is a great move by VMware to let IT professionals distinguish themselves from the common place VCP. I’ll probably start with the design track and see how that goes.

I couldn’t yet find details on VMware’s web site, but this blog has a few more details.

New HP Server Firmware Update CD

Normally I wouldn’t blog about a minor rev in a vendor’s firmware update CD. But last week HP released a major version, with significant changes, to their Proliant firmware update CD. They’ve combined several of their blade offline update CDs into a single DVD that covers their ML, DL plus the BL blade servers. What’s really nice about this release, and a major time saver, is that the firmware update is 100% automated.

By 100% automated, I mean just that! Pop in the DVD, reboot the server and come back 10 minutes later and its all done. You don’t need to answer a single question or click on a single screen. I updated an entire chassis of 14 blade servers today while I was multi-tasking, and it was a breeze.

There is a timed menu that comes up for 30 seconds that you can break into and do a manual or more targeted update of just certain components. The manual approach also lists the tested blade firmware bundles so you know exactly what versions are compatible. Or you can inject your own updates into the DVD and use the very latest versions. I chose to inject the latest system ROM and iLO2 firmware, and the automated routine picked them up without a hitch.

I’m glad to see that HP combined their various offline update methods, and have it fully automated. My only complaint is that the server is rebooted after all of the updates are done and if you don’t catch it then it will boot off the CD and scan for updates. Of course the firmware will be up to date so nothing happens, but it will get suck in this endless reboot and check phase until you interrupt it. It really should wait for user input before it reboots.

You can download the newly titled “Smart Update Firmware DVD” v9.00 here. Even though the DVD was released last week, it doesn’t have the very latest iLO or G6 System ROMs. So should you want those, just download the Linux .scexe binary and inject it into the DVD.

UPDATE: HP says automatic mode should eject the DVD after it has completed and thus not get into a reboot/update cycle. Unfortunately the external DVD reader for my BL4980c G6 servers isn’t ejecting properly. So YMMV on this problem.

Final vSphere Hardening Guide Released

After a few months the highly anticipated vSphere 4.0 hardening guides have been released. Several months ago VMware released beta versions which I thought were pretty good. Seeing as DISA doesn’t have STIGs for vSphere, the next best thing is vendor provided documentation.

You can see the full release here and download the new guides. Go forth and harden thy vSphere servers!

Server 2008 R2 Read-Only disks in ESX Templates

During the build process of my Windows Server 2008 R2 VM templates, I had perplexing problem with my second virtual disk after sysprep completed. In my previous blog post I showed a PowerShell command that reassigned a drive letter. Worked great, but a noticed a problem. My “D” drive, which is a second PVSCSI disk, was being mounted as read-only. If I manually took the disk offline and brought it back online, magically it was read-write.

However, using a script to take the disk offline and bring it online did not remove the read-only attribute. After a bit more digging, I found a command that works like a charm. I had to change the disk attributes and clear the read-only flag.

The full PowerShell script, which I call from the c:Windowssetupscriptssetupcomplete.cmd file, is shown below.

$script = $Null

$script = @”

select disk 1

online disk noerr

attributes disk clear readonly

$scriptdisk += $script + “`n”

$scriptdisk diskpart

echo E: %{$a = mountvol $_ /l;mountvol $_ /d;$a = $a.Trim();mountvol Z: $a}

I don’t know if the read-only problem comes from sysprep, changing drive letters, a VMware thing, or what. Since the script is executed during the sysprep process, you never know what is going on behind the scenes. Drive letters get changed and the D drive is read-write, just as you’d expect.

Change a volume drive letter with Powershell

I ran across a useful command that instantly reassigns a drive to another letter, and another one liner that detects a CD-ROM and assigns it a particular letter. For additional details and a richer script, check out this blog post from The Admin Guy. The piece that I found most useful from his script was (replace ! with the pipe symbol):

(gwmi Win32_cdromdrive).drive ! %{$a = mountvol $_ /l;mountvol $_ /d;$a = $a.Trim();mountvol x: $a}

That one liner detects a CD-ROM drive and re-assigns it the letter X. Works great on systems with one CD-ROM. Taking this as an example, I slightly modified the command to take as an input a fixed drive letter and then re-assign it another letter. Here the drive changes from X to Y. Replace ! with the pipe symbol.

echo x: ! %{$a = mountvol $_ /l;mountvol $_ /d;$a = $a.Trim();mountvol y: $a}

One great thing about these commands is that the change happens immediately, unlike a VBS script I was trying to use earlier this week that just hacked the registry and required a reboot. I’m using these scripts in my Server 2008 R2 ESX template to re-assign various drive letters during the sysprep process.

