Configure vCloud Director 9.x Org Rights needed for L2 VPN Stretching – vCloud Extender

I am currently working on a new lab environment that consists of vCloud Director (vCD) Extender and vCloud Availability.

Our documentation provides a method for writing out the permissions needed via curl/API commands. I decided to take a shortcut and just use a PowerShell script.

Configuring vCloud Director Organization Rights for L2 VPN Stretching – VMware Documentation

If you don’t know what the heck, I’m talking about, vCloud Director Extender is our plugin product to migrate workloads from an on-prem environment to a vCD environment. Check out my installation guides here:

vCloud Director Extender – Installation Review

vCD Extender – Warm Migration Setup

I *thought* that vCloud Director 9.x would have all of the advanced organization permissions required for L2 stretching. I was incorrect, it’s missing a few things (really actually two, but following our exact documentation).

Per my findings, my vCD 9.0.0.1 environment was missing the following from an Org Admin:

  • Organization vDC Gateway: View L2 VPN
  • Organization vDC Gateway: Configure L2 VPN

So I modified my previous script (see here) to write the required org permissions to establish and set up the L2 VPN / Data Center Connection for vCloud Director Extender.

Before I ran the script, I saw this:

Running the script….

After running the script, I now see the two new L2 VPN options available to my org admin.

Done! Now I can continue on with my L2 setup.

More to come and script is below, thanks!

-Daniel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# vCD Extender Permissions Setup - initially created by KiwiCloud.Ninja - modified by Daniel Paluszek - paluszek.com
# January 17th, 2018 - Modified for a vCloud Director 9.x Instance
# Script to add new OrgRights options for administering advanced Edge Gateway to a vCloud Director organisation.
# Note that Organisation roles (e.g. Organizational Administrator) still need to be edited to add these rights once
# this script has been run against their org.
# NOTE: You must be connected to the vCloud API (Connect-CIServer) with a System administrative user prior to running the script for this to work.
# Add your Org name in line 7 while the vCD instance name is added in line 8
$OrgToUpdate = 'T1'
$APIendpoint = 'vcd-01a.corp.local'

Function vCloud-REST(
[Parameter(Mandatory=$true)][string]$URI,
[string]$ContentType,
[string]$Method = 'Get',
[string]$ApiVersion = '27.0',
[string]$Body,
[int]$Timeout = 40
)
{
$mysessionid = ($global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }).SessionId
$Headers = @{"x-vcloud-authorization" = $mysessionid; "Accept" = 'application/*+xml;version=' + $ApiVersion}
if (!$ContentType) { Remove-Variable ContentType }
if (!$Body) { Remove-Variable Body }
Try
{
[xml]$response = Invoke-RestMethod -Method $Method -Uri $URI -Headers $headers -Body $Body -ContentType $ContentType -TimeoutSec $Timeout
}
Catch
{
Write-Host "Exception: " $_.Exception.Message
if ( $_.Exception.ItemName ) { Write-Host "Failed Item: " $_.Exception.ItemName }
Write-Host "Exiting."
Return
}
return $response
} # Function vCloud-REST End

# The new vCloud Director API v27.0 OrgRights for vCD Extender Preparation and Advanced Networking:
$newrights = @{}
$newrights.Add("Organization vDC Gateway: Convert to Advanced Networking", "9dc33fcb-346d-30e1-8ffa-cf25e05ba801")
$newrights.Add("Organization vDC Gateway: View L2 VPN", "105191de-9e29-3495-a917-05fcb5ec1ad0")
$newrights.Add("Organization vDC Gateway: Configure L2 VPN", "eeb2b2a0-33a1-36d4-a121-6547ad992d59")
$newrights.Add("Organization vDC Gateway: Configure Firewall", "b755b050-772e-3c9c-9197-111c286f563d")
$newrights.Add("Organization vDC Network: Edit Properties", "b0cfe989-521b-3d7f-9bc2-f23c74a99633")
$newrights.Add("Organization vDC Network: View Properties", "2c8d98ef-4acc-3be4-9214-fcb9682b7a19")

$myendpoint = $global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }

if (!$myendpoint.IsConnected) {
Write-Host "Not connected to this vCloud endpoint, use 'Connect-CIServer' before running this script."
Exit
}

$org = Get-Org -Name $OrgToUpdate -Server $APIendpoint

if (!$org) {
Write-Host "Couldn't match organization with name $OrgToUpdate, exiting."
Exit
}

$rightsuri = 'https://' + $APIendpoint + "/api/admin/org/" + $org.Id.Substring($org.Id.LastIndexOf(':')+1) + "/rights"

[xml]$rights = vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Method 'Get' -ApiVersion '27.0'

# Add the new API v27 'RightsReference' elements to the XML returned:
foreach($newrule in $newrights.Keys) {
$newright = $rights.CreateElement("RightReference", "http://www.vmware.com/vcloud/v1.5")
$newright.SetAttribute("href","https://$APIEndpoint/api/admin/right/$($newrights.Item($newrule))")
$newright.SetAttribute("name",$newrule)
$newright.SetAttribute("type","application/vnd.vmware.admin.right+xml")
$rights.OrgRights.AppendChild($newright)
}

# Update the Organization with the ammended rights:
vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Body $rights.InnerXml -Method 'Put' -ApiVersion '27.0'

Update VMware vCloud Director 9 in 5 Minutes

I sometimes hear that vCloud Director (vCD) is cumbersome and hard to install/upgrade. I just updated my lab environment vCD instance from 9.0 to 9.0.1 in about five minutes. The team has done an incredible job of making any patch/upgrade process seamless. Below are the steps for upgrading while documentation link is below.

Upgrade VMware vCloud Director Installation – Documentation

We can see I’m running the 9.0 base version. As stated above, we will upgrade to 9.0.1.

Download and check integrity

  1. Go to vmware.com and download the latest upgrade package 
  2. Upload via SCP (or your method of transfer) to your vCD cell 
  3. Now let’s SSH to our vCD cell and check the md5sum to ensure nothing happened from downloading it to copying it. Yes, md5 matches and we are good! 
  4. Let’s go ahead and make the bin file executable. “chmod u+x <filename>” makes it easy and now we can see it’s executable. 

Run the Installer

  1. We are now ready to run the vCD installer bin file. Let’s go ahead and dot slash it! 
  2. The installer will verify you have an upgradeable version of vCloud Director and ensure you want to proceed with the upgrade. Type “y” to continue on. 
  3. Now we can see the installer is stopping the vCD cell processes and continuing on with the installation.
  4. And we are complete! The last message we see is we need to perform the database upgrade to ensure the schema is up to date. 

Update the vCloud Director Database

  1. Okay, let’s go ahead and run “/opt/vmware/vcloud-director/bin/upgrade” – we see a message ensuring you want to continue with the upgrade. You’ll want to make sure all of your other cells are stopped to ensure there’s no database connections. 
  2. The upgrade will look at the database and ensure everything is acceptable. Again, you’ll one more time, just to make sure you have that backup! 🙂 
  3. we can see the upgrade task was completed and everything looks great. We are prompted to start the vCD services back up. Type y to continue on. 
  4. Services are started! 

Let’s log in and check the build version. There we go, on the latest version of vCloud Director 9.0!

That’s it. Very easy and straightforward. If you’re interested in further insight on architecting vCloud Director, do check out our free vCloud Architecture Toolkit papers:

Thanks!

-Daniel

My Deployment Experience with Ubiquiti Networks

I was the fortunate winner of the vBrownBag year-end contest and won Ubiquiti Networks gear. I wasn’t sure what I was going to get, but wow, was I surprised!

I’ve been wanting to pick up Ubiquiti gear for some time now – I was running an older Meraki deployment from my Cisco days, which has served me well. However, the MR18 was definitely showing its age from a channel utilization perspective.

I *finally* got a chance to sit down yesterday and start deploying out a simple design for now while also learning about Ubiquiti Networks gear.

I also jumped into this without reading much documentation and quite frankly, understanding of how the Ubiquiti model works. I wanted to see how easy it was to deploy based on my past network experience.

From a top-level topology perspective, I decided to lay out the deployment as such, pretty straight-forward.

Deployment Steps

  1. I first created an account on Ubnt.com, fairly straightforward and showed a demo controller. 
  2. I was a little confused on which step I should take next – do I need to set up the USG first or the Cloud Key? Well, I kind of did both, which was fine.
  3. I plugged in the USG and allowed the default DHCP settings while just setting up a hardwired connection from my laptop. 
  4. From here, I was able to start a setup wizard on the USG. Very straightforward while setting some initial defaults.
  5. I did initially set it up with a local Controller (not the Cloud Key) but was able to move over the USG pretty seamlessly.  
  6. From there, I started adding in the AP and the Switch. Adoption was easy, just a click of the button.
  7. I upgraded to the latest code and voila, complete with my initial basic setup!

Experience and Testing so far

  1. The deployment was very easy in my opinion and the usability is even easier, maybe even too easy? You can tell Ubiquiti spent a lot of time on the visuals of the UniFi dashboard along with what typical administrators would be configuring.
  2. I think the hardest part was the ramifications of the SSID channel and key change – had to reprogram quite a bit of devices!
  3. I’ve had wireless congestion issues in the past on 11B/G spectrum, so it was great to see some of their insights/stats on congestion. Again, changing the radio channel was very easy. 

Now, for my very scientific (sarcasm) test – before and after wireless speeds.

From my office where all of my gear is, I did a before and after throughput test on my iPhone.

While it’s not an apples to apples comparison as it relates to the gear (I realize the Ubiquiti gear is much newer), I’ve improved my downstream throughput by 2x which is outstanding.

I’m very satisfied with the quality of the Ubiquiti Networks gear and I can tell how it’s caught on in the industry. I plan on adding another 8 port switch and also another AP down the road. I’ll be also carving up VLANs and different networks based on use case. I’m interested to see what else can be done from the USG, looks like I can even configure terminal access.

Thanks!

-Daniel

VMware VCIX6-NV Unlocked – Experience and Tips

I am happy to state that I passed my VCAP-NV and will be achieving VCIX6-NV.

This was an exhausting test – and sometimes frustrating. I even had a PSOD on one of my hosts that I had to resolve (pretty sure that was not part of the lab test)!

I have many people to thank but there have been some great guides out there. I posted a blog article on links I collected for preparing for my VCAP-NV.

I’ll be the first to admit this was my second attempt at my VCAP-NV: the first attempt one just got to me. Not to make any excuses, but my background isn’t networking/routing, so many of these topics were green to me.

I dusted myself off and said I’ll knock the second attempt out of the park. As you can see, VMware does document the blueprint objectives you missed on the test.

So what did I do? Before I start that, here’s a summary of my experience:

Summary

  1. This test will frustrate you. Yes, it is meant to. Accept it and embrace it.
    1. It is a nested vPOD/Lab environment. ProTip – for East Coasters, schedule your test first thing in the morning before the West starts working – much more responsive!
  2. It will attempt to confuse you. Take a deep breath and look at the overall question – what are you trying to accomplish?
    1. Also, sometimes the simplest answer is all you need. Don’t overcomplicate things (I have a tendency to do this).
  3. Do not spend too much time on a specific problem. If it’s not working as expected, make a note of it and move on.
    1. This was my problem with the first attempt. I spent too much time on a specific set of questions and ran out of time.
  4. Stay true to the Blueprint. If you practice and study using its guidelines, you will be okay.

First off, I wrote the entire Blueprint on my whiteboard with the main tasks. Excuse my handwriting, but you get the gist of what I was trying to accomplish here. I notated how many times I did a specific item.

After I didn’t make it the first attempt, I circled the sections I missed in black (even though half of them were because I just ran out of time). These were areas I focused on for the second attempt.

Focus Areas

  1. Lab, lab, and lab. This is a test you cannot dump your way through. I don’t see how it would be possible to pass this without hands-on experience, especially with routing protocols and how NSX interacts with them.
    1. Labs of Focus
      1. The VMware Hands-On Labs (HOL) is FREE! You would be crazy for not using these and getting some insight/guidance on how things work. I primarily used the 1803 and 1825 labs on VMware HOL – link here.
      2. VMware Education – NSX Install, Configure, Manage – Lab Connect.
        1. I thought this was a great, self-paced, approach to a vPOD environment with 22 guided labs. There is a cost to using this, but I believe there may discounts for Partners.
        2. VMware Education – Install, Configure Manage – Lab Connect Link
      3. Josh Andrews’ VCIX6-NV Practice Exam
        1. I thought this was a very nice addition from SOSTech / Josh Andrews.
        2. Josh provided 9 sample “test” questions using the 1703 (or 1803 which is the new version) lab.
        3. Definitely test yourself and document where you may struggle.
        4. Link to the SOSTech VCIX6 Practice Exam
    2. Existing Blog Guides
      1. I thought Clinton’s VCAP6-NV was the most comprehensive guide out there. I used this as a rule of thumb and mimicked many of the things he documented in his blog series. DEFINITELY spend some time here.  
      2. Other Guides I went through:
        1. Chestin Hay / v4Real – Link
        2. Lostdomain.org – Study Guide ( a little dated, but still pertinent info)
        3. thecloudexpert / Chris Lewis’ guide – Link
      3. There are probably others I’m missing, but definitely leverage what’s out in the community – thank you to those of you that have published and spent a significant amount of time documenting!
  2. Practice and get involved. Read all of the publications out there on VMware’s site. Build out designs for customers. This will take time but provides further exposure and compounding of the topics.
  3. Break stuff. You need to see how NSX works when you start “pulling cables” if you will. I spent countless hours just doing this. There are several troubleshooting topics so you’ll need to understand what happens when things go awry.

What’s next? I will continue to focus on VMware NSX, but may attempt one of the VCAP-DCV’s. I hope this post will benefit others – cheers!

-Daniel