Troubleshooting with vRealize Network Insight

I've had the opportunity to use vRealize Network Insight (vRNI) lately during a network migration project and it has proven invaluable.  We've used it to collect data about the subnets before they're migrated and we use it to help troubleshoot issues after the migration is completed.  It's given us great visibility into the traffic on the network and into where that traffic is being blocked.  So, how do we use it?

Before the migration, we use it to scrape a ton of data from the source subnet, as we need to know what's going on with the servers that are running there.  At the start of the project, we attempted to learn those details by asking the application owners about their applications' requirements, however we found that the vendor documentation was universally poor, especially when compared against the needs of micro-segmentation.

To get that information, I execute a very simple query in vRNI: flows where subnet = <subnet>.  This returns a list of al…

Behind the Scenes with VMware UEM Run Once Settings

I've recently had the opportunity to do a project with VMware UEM where we've made some use of the Run Once setting on a few config items (expect more on that later).  I was hesitant to build that setting into my design though, without having a thorough understanding of what it's doing behind the scenes (for example, what do I do if I need to make it run a second time for some reason?), so I did some research and experimenting.

Eventually, I came across a VMware KB Article describing the Run Once Special flag, which explained what was going on, although I still had to poke around a bit to find the file itself and fully understand the behavior.  That article described the Run Once process as creating flag files named .[L-computername.1] in the hidden FlexRepository user profile folder.  If those files are found for a given setting, it does not run the setting with that flag enabled. 

Let's look at an example Logon Task that has Run Once enabled, and how the system works…

The Value of Automation

I've been doing more and more work around automation, as have a lot of people in our industry.  But, why do we do it?  Many of the tasks that we automate are trivial, easy things that an administrator can do with very little thought, yet we still invest days, weeks or even months in creating automated systems to do those tasks instead.

Well, first lets look at why we automate those trivial tasks.  It turns out that very few tasks are actually trivial, we are just really good at glossing over details.  That's just part of being human and is how we manage to get by in the world.  Take an activity as simple as typing this blog post - trivial, right?  Just type some things into the interface. 

Well, discarding any difficulties in figuring out what to type, think of the pure mechanics of getting it into the interface.  Every character in this post corresponds with a keystroke on my keyboard (and, given how many typos I make and how often I change my mind about what I want to say, i…

Moving Clustered VMs with Shared Physical Mode RDMs

This is probably one of those articles that's only going to apply to a tiny percentage of people within an already miniscule niche subset of a small population... but I'm proud of my work and so am going to post it here anyway.  One of my customers needs to move a bunch of VMs off of one SAN onto another.  Storage vMotion for the win, end of story, right?  Yes*

* 99% of the problem is absolutely solved with Storage vMotion, but I'm not in the business of leaving 1% unfinished.  In this case, that 1% was a bunch of older SQL Servers, set up in 2 node pairs using Microsoft Clustering Services via shared Physical Mode RDMs.  Yikes.

In theory, this process isn't too bad.  Just record the vital statistics about the RDMs, then detach them from the VMs, move the VMs (during an outage window, obviously), create new RDMs using the recorded data, and power everything back up.  This process depends on the new-harddisk cmdlet... but given that I'm writing about it here, you…

How to use SSH and SCP with VCSA

I was replacing some vCenter Server Appliance (VCSA) self-signed certificates with signed certs from an Active Directory Certificate Authority and I came across a minor issue that I wanted to document here.  I was using the /usr/lib/vmware-vmca/bin/certificate-manager tool to generate the CSR, and then PSCP to download the CSR and hand it off to the security team.

When I first tried to use pscp to get the file, I encountered an error that I hadn't seen before:

Fatal: Received unexpected end-of-file from server

Some quick googling didn't turn up any hits on this issue, but I thought of something as I was poking around.  When I connected to the VCSA via SSH, it didn't drop me to a BASH shell until I did the usual "shell.set --enabled True" "shell" operation that it prompts you with.  Since PSCP (and SCP in general) is just establishing an SSH connection to the host and then doing a copy command, I figured that my issue was probably that the default root s…

Parsing Palo Alto Config XML into PowerShell Objects

One of my customers is converting into an NSX-based network design.  In order to facilitate this conversion, they need to understand the rules that exist on their Palo Alto firewall and then recreate those desired behaviors in the NSX microsegmentation.  Their challenge was that their Palo Alto had a fairly complex ruleset, one that no one wanted to try and recreate by hand in NSX.  I'm sure that you can see where this is going.

Before we could create anything in NSX (via the ever-evolving PowerNSX module), we had to understand the configuration of the existing firewall.  When I asked about exporting the configuration, the networking team told me that they had two options: JSON or XML.  Not knowing what I was likely to get working, I asked for them both, then tried convertfrom-JSON and import-clixml on the provided files.  Neither worked, so I had to do some digging.

After banging my head into a wall for a while, one of my coworkers gave me a copy of a script that he got from Palo…

PowerCLI's RunAsync Parameter Rocks!

I've recently been playing around with the -RunAsync parameter in some of my PowerCLI scripts, and I'm super impressed!  I'm also super late to the party; I mean, LucD was writing about it back in 2010, but still!  So, what's it do?  It speeds up tasks that don't need to be run sequentially, that's what it does.

For example, if I have a list of VMs that all need to move into a new folder, I could do it like this:

$folder = get-folder "New Folder" $vmNames = get-content MyList.txt foreach ($vmname in $vmNames){ get-vm $vmname | move-vm -destination $folder }
And that would move one VM, then the next, then the next, etc.  Depending on the number of VMs, it could take a real long time.  This process could take a while because, the way this script is written, the system will wait for each "move" to complete before initiating the next.  That's where -RunAsync comes in.

$folder = get-folder "New Folder" $vmNames = get-content MyLi…