Eck Tech

by eck

April 17, 2012

Update: As has been pointed out by numerous people (comments and twitter) FlexPod is indeed hypervisor agnostic. Check out the Cisco DesignZone for FlexPod to see all the validated solutions. Learning that changes the details of this post slightly but the bottom line and overall sentiment is still the same. Thanks to @friea and Satinder for your help!

As if we need more information or opinions on this subject but much of what has already been written has been written by partners, manufacturers, or journalists. I am a customer and full disclosure I am a NetApp customer. Actually a pair of Nexus 5k’s short of a FlexPod customer, too.

You all know what the differences are between those solutions by now (if not see HERE). Here is a regurgitation of a few main points:

Vblock is not a reference architecture and is not really included in this comparison. Vblock has strict requirements for software versions and only included EMC, VMware, and Cisco components.
FlexPod is a reference architecture that includes NetApp, Cisco, and VMware (see update above). Since it is a reference architecture and not a prebuilt and validated solution it is less rigid. However, it still requires components from those 2 vendors.
VSPEX is also a reference architecture that includes components from several more vendors including Brocade, Microsoft, and Citrix.

Without getting into the debate on reference architecture (FlexPod, VSPEX) vs prepackaged solution (Vblock) I do want to compare and contrast the reference architectures themselves. Vblock is a great solution where it fits but it is really not part of the reference architecture discussion. FlexPod is closed to Cisco and VMware along with NetApp storage. No one can argue that those are not best of breed components but there are many customers out there that already have infrastructure with Citrix, Brocade, or god forbid Hyper-V. Those customers have barriers to rip-and-replace and the reference architectures do allow for some flexibility on the journey.

What I see with VSPEX, though, is really exciting. It will allow partners to co-brand their solution and give them the flexibility to use different hypervisors (Microsoft, Citrix, VMware) and networking (Cisco, Brocade). Obviously you’re locked into EMC storage with VSPEX but so too are you locked into NetApp with FlexPod. This move, in my opinion, really shows EMC’s commitment to changing its reputation with the partner community. Now don’t get me wrong, what value is co-branding really adding? But it does provide a mechanism for the partner to feel more engaged and provide that “This is OUR solution, not EMC’s. We, the partner, are providing this value to you.” The partner can then have additional instruments for revenue generation in terms of support, managed services, and consulting around the solution they’ve built around the VSPEX reference architecture.

Having said all that I think FlexPod has established itself as a great reference architecture. Its adoption rate has been growing and it is relatively mature. Since FlexPod is limited to VMware and Cisco it has an advantage of fewer options and better integration & management through tools such as Cloupia. It remains to be seen if VSPEX will produce a management and integration layer like that of Vblock and FlexPod but I think I can safely assume that it will.

The bottom line is that I feel as a customer it is better to have options especially if I have existing non-VMware and non-Cisco infrastructure. I also already have established, trusted relationships with my EMC and NetApp partners who already know my environment. So allowing them to build us a custom solution based on a proven (or yet to be proven) reference architecture would be a great opportunity. A little competition also helps the market innovate and continue to produce great partners on both sides of the aisle. Now the lingering question I have is how long until Dell produces its competitor?

Tags: Brocade, Cisco, EMC, FlexPod, Microsoft, NetApp, Vblock, VMware, VSPEX

Permanent link to this article: http://ecktech.me/a-customers-take-on-emc-vspex-vblock-and-flexpod/

Apr 17 2012

PowerShell: Apply ActiveSync Policy to an Active Directory Group

Categories:

by eck

April 17, 2012

We had the requirement to automate the application of an ActiveSync policy to a specific AD user group. We also had to have a way to make sure that policy stays applied and is automatically applied during our on-boarding and off-boarding processes. Last, we wanted to remove old ActiveSync partnerships for any devices that had not synchronized in 30 days or more.

Through some searching I found some examples that were close to what I needed to do so here is the script I created with the help of some posts on the Technet forums. You’ll want to substitute the group and policy names for your own.

# Assign all members of the DG to the dynamic array
$allMembers = Get-DistributionGroupMember -Identity '<AD Group Name>'

# Loop through the array
foreach ($member in $allMembers) {
       # Set ActiveSync for each member of the array
       $member | Set-CASMailbox -ActiveSyncEnabled $true
	   # Set ActiveSync Policy for each member of the array
	   $member | Set-CASMailbox -ActiveSyncMailboxPolicy "<EAS Policy Name>"
}

# Disable ActiveSync for anyone not in <AD Group Name> group
$groupidentity = $(Get-Group "<AD Group Name>").Identity.DistinguishedName
Get-Mailbox -Filter {(memberofgroup -eq $groupidentity)} -ResultSize unlimited |Set-CASMailbox -ActiveSyncEnabled $false

# Remove any partnerships for devices that haven't checked in for 30 days or more
Get-CASMailbox -ResultSize unlimited -Filter{(HasActiveSyncDevicePartnership -eq $true) -AND (name -notlike "cas_*") -AND (name -notlike "DiscoverysearchMailbox*")} | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity | Where-Object {$_.LastSuccessSync -le (Get-Date).AddDays("-30")} | Remove-ActiveSyncDevice -Confirm$false}

Hopefully this is pretty self-explanatory and will help you Exchange Admins out there. If anyone see’s where I could be more efficient or have suggestions regarding the code let me know.

This post has no tag

Permanent link to this article: http://ecktech.me/powershell-apply-activesync-policy-to-an-active-directory-group/

Feb 25 2012

Choosing the Right Vendors

Categories:

by eck

February 25, 2012

One of the things I have been doing lately is relentlessly working to find new partners for several projects. Vendor management is a soft skill that seems to be lacking with many people in IT and IT Leadership. I just wanted to jot down a few of my thoughts and experiences as reminders to myself and perhaps others when going through the process to onboard a new partner or vendor. It is obviously not a technical subject but something that may be helpful to you or anyone who may be new to vendor management responsibilities.

There are a couple schools of thought around how many vendors to partner with. On one hand it would be nice to have one partner to work with that can do everything you need. One call to make, one throat to choke. On the other hand you may not want to put all of your eggs in one basket. Vendor lock-in doesn’t just happen with hardware and software. Imagine you’ve worked with a partner for years and they really know your environment. If you cut that cord you’ll have to allow any new vendors time to assess and learn your environment. That will take time and money. It may be worth it in the end but know up front what you’re getting yourself into. Ideally you may have a small number of vendors. Enough to spread the work around and if you have a bad experience with one vendor it won’t affect your entire infrastructure or organization.

My number one priority with vendors is communication. All to often I’ve found myself wasting valuable time hunting down someone for a status update. Nothing is worse than waiting and wondering what’s going on with a project whether it be quotes or project milestones.

Any partnership needs to be built on trust and mutual respect. A lack of either of those elements and failure is just a matter of time. Respect allows both parties to keep each other accountable without affecting the overall relationship. I’ve had plenty of situations where there have been disagreements or problems and with great partners it is easy to work through that and continue on about our business. Bad relationships will not survive many of those situations. Trust speaks for itself and is earned. But once you have mutual trust things get much easier.

I alluded to it earlier but accountability is next. When a partner makes a promise, whether it is an email follow up or a successful implementation, they need to deliver. Don’t work with a vendor who over-promises and under-delivers. Understand that unexpected things always come up but good vendors will be able to build buffers into projects to account for some of those. They will also set expectations appropriately at all stages of a project.

Try to work with vendors who are punctual, professional, and flexible. A good vendor is one who is observent and will adapt to you whether that’s schedule, dress, or communication style. They’ll take challenges head-on and won’t get flustered when audibles need to be called.

With all of this keep in mind that any partnership is a two-way street. At the same time you’re looking at your vendor to be easy to work with, trustworthy, and professional know that they are looking for the same from you. It is easy to say “I’m the customer and I’m always right” but that’s not always the best philosophy. Work with integrity and treat your partners the way you want them to treat you.

Finally, some of these metrics are tough if not impossible to determine before you engage a new partner. Sometimes you have to use your gut and sometimes your gut fails you. Make sure you build in protections to any SOW’s or contracts to allow you to break an unhealthy partnership.

Hopefully these thoughts are mostly not new to you but something in my ramblings may help you ask the right questions before engaging a new vendor.

Tags: Vendor Management

Permanent link to this article: http://ecktech.me/choosing-the-right-vendors/

Feb 09 2012

Installing an Active Directory Enterprise CA Issued Certificate in Cisco UCSM 2.0

Categories:

by eck

February 9, 2012

This process is fairly straightforward and quick. The only thing you need to be aware of is that any administrators logged into UCSM or the KVM will get booted when you flip over to the new certificate. But they’ll be able to log right back in so you may just give them a quick heads-up. I assume you have a Microsoft Active Directory PKI running an Enterprise Root CA on Server 2008. If you’re running Server 2003 this will still work but the screenshots and links while requesting the certificate may vary just a bit. I also assume you have an A record created for your UCSM management address.

Process Overview

First, you’ll need to create what is called a TrustPoint in UCSM. A TrustPoint is either a Root or Intermediate CA that UCSM will trust. This is important as we’ll be installing a 3rd party certificate. Without the TrustPoint defined, UCSM will not trust any outside Root CA whether it’s your own internal CA or Verisign. After creating the TrustPoint we’ll need to import our CA’s certificate into our new TrustPoint and then create a new KeyRing within UCSM so we can request a new certificate from our Root CA. Once that certificate is issued we’ll import that into our new KeyRing and the last step is to point the HTTP service to the new keyring so it uses the new certificate when serving up HTTPS requests.

Details

Before logging into UCSM we need to grab our Root CA certificate. Hopefully you know which server in your infrastructure is the Root CA. If not you can find lots of information available to help you determine where that role resides. Navigate your web browser (IE recommended for this part) using the FQDN of your CA to the certsrv virtual directory, for example https://rootca.domain.local/certsrv (if https doesn’t work try http). Click on “Download a CA certificate, certificate chain, or CRL”.

Next, click select the Base 64 radio button and then click “Download CA Certificate”.

Save this file to a convenient location. It should be a .cer file and readable via a text editor. The first line of the file should be “—–BEGIN CERTIFICATE—–“ and the last line should be “—–END CERTIFICATE—–“. If you see binary characters without those two lines you have a cert in the wrong format. Double check that you selected Base 64.

Now, you’ll need to login to UCSM. Navigate to the Admin tab and expand Key Management. If you haven’t done anything with certificates in your UCS environment you should only see KeyRing default which contains the self-signed certificated created upon the initial setup.

Right-click the Key Management node and select Create TrustPoint. Fill in the form with a descriptive name and then paste the ENTIRE contents of the .cer file you just downloaded into the Certificate Chain field. Click OK and your TrustPoint is created.

Next we have to create a new KeyRing and a new certificate request (CSR). In UCSM right-click on the Key Management node and click Create KeyRing. Again, fill in the name filled with something descriptive and I would recommend selecting Mod2048 to create a 2048-bit RSA protected certificate. It will work with the other options, though.

Click OK and on the next screen choose a password for your certificate along with the SN (Subject Name) and IP Address. The SN should be the FQDN of your UCSM management address (not the name used to reach either of the fabric interconnects).

Click OK and in the next window copy the certificate request text to your clipboard (or a file) and switch back over to your CA again with your browser.

Navigate back to https://rootca.domain.local/certsrv and this time click on the “Request a certificate” link.

Select the link to submit an advanced certificate request.

Click the link to submit a request using a base 64-encoded file.

Next paste the contents from your CSR into the Saved Request field. Under Certificate Template be sure to select Web Server (which is an out-of-the-box certificate template for a Windows CA). If you do not have a choice for a Web Server then your Windows infrastructure team may be able to help you select the correct template or there is an issue with the CA.

Click submit and you will be allowed to download your new certificate. Again, make sure you download the Base 64 encoded certificate and save it as a .cer file. Open up the .cer file with a text editor and copy the entire contents of the file. Now head back to UCSM under Key Management and click on the new KeyRing you created previously. Select the Certificate area and select the TrustPoint you created previously from the drop down. Paste the contents of the .cer file into the Certificate field and click OK.

FInally, just under Key Management in the left pane expand Communication Management and select Communications Services. In the right-hand pane under the HTTPS section select your newly configured KeyRing. You’ll be warned that any UCSM connections will be reset. After you agree you’ll be booted from UCSM but you may immediately log back in if you wish.

Now let’s verify the new certificate is working. Browse to your UCSM webpage, for example https://ucs1.domain.local and you should see that your certificate error is now gone.

Tags: Certificates, Cisco, UCS

Permanent link to this article: http://ecktech.me/installing-an-active-directory-enterprise-ca-issued-certificate-in-cisco-ucsm-2-0/

Feb 07 2012

Reinstalling Nexus 1000v VEM Modules in ESXi 5

Categories:

by eck

February 7, 2012

There may be several reasons why you might need to reinstall a VEM module. In my case a few weeks ago we had an issue during our upgrade from UCS 1.4(3q) to 2.0(1t). During the upgrade for a yet to be explained reason, all VMK ports went into a blocking status on 2 out of our 4 B250M2 blade ESXi 5 hosts. After hours of troubleshooting with TAC we decided to pull down new VEM modules and install those even though they were the same version number as the existing ones.

During this process you WILL lose connectivity to your ESXi host so please make the appropriate arrangements to get it into maintenance mode beforehand. In my case we were already down so it didn’t matter but hopefully you’re doing it as part of planned maintenance.

First, enable ESXi shell by gaining console access to your host via KVM, iLO, DRAC, etc. Login with your root credentials and enter the Troubleshooting Options section. Within there you’ll see the top option is to enable ESXi Shell so just select the option and hit enter.

Next, hit alt-F1 to gain access to the ESXi shell and again login as root. To see which version of VEM you’re currently running (needed so you can form the uninstall command) type

esxcli software vib list

The Cisco VEM module is usually the first item listed. In my instance this was cisco-vem-v131-esx. Now you’re ready to uninstall the VEM by typing:

esxcli software vib remove -n cisco-vem-v131-esx

Now navigate in a browser to https://<USCM IP Address>/vmfex/vmfex.html and grab the appropriate version of VEM for your environment. If you’re running ESXi 5 and UCSM 2.0(1t) that version will be cross_cisco-vem-v132-4.2.1.1.4.1.0-3.0.4.vib.

Use your favorite SCP utility to copy that VIB file over to your ESX host. I placed mine the /tmp. Now execute the following command to install the new VEM:

esxcli software vib install -v /tmp/cross_cisco-vem-v132-4.2.1.1.4.1.0-3.0.4.vib

Finally, to verify the host is talking to your NK1v properly run:

vemcmd show port

The output should look similar to the following screenshot but will vary depending on your number of NICs and VMK port groups.

Check to make sure none of your ports are in BLK (blocking) mode. When I started all of my VMK ports were BLK instead of FWD (forwarding) which was the source of my connectivity issues. You can see above that now all ports are passing traffic.

Hopefully this walkthrough is straight forward and helps you get out of a sticky situation.

Tags: Cisco, ESXi, UCS, VEM

Permanent link to this article: http://ecktech.me/reinstalling-nexus-1000v-vem-modules-in-esxi-5/

Feb 05 2012

Mac Convert – What I Use

Categories:

by eck

February 5, 2012

It’s been about 3 weeks since I touched my first OS X machine. I have an iPad but other than doing some software development in C on OS 8/9 I have no day to day usage experience with a Mac. I started out with a 17″ MBP running Lion (10.7.2) and it took about 48 hours for me to fall in love. Once I figured out the gestures on the touch pad I ditched the conventional mouse I ordered and grabbed a magic mouse. If my work area changes then I may have to get the large bluetooth touchpad.

Thanks to the twitterverse and WWW I was able to get a good idea of what apps I would need on my new platform to get my job done. I’m still doing some lookups to accomplish things here and there but for the most part it didn’t take too long to get up to speed. Because I work in a Windows shop I do rely on a Windows 7 VM running in VMware Fusion and that has been solid. I haven’t ever used Parallels or KVM but I don’t feel I have a reason to want to try them with Fusion. An add-on for Fusion is Nick Weaver’s UBER Network Fuser which allows you to do some advanced networking with your VM’s. The functionality is there in VMware Workstation – their Windows and Linux hypervisors – but is not easily accessible without Nick’s Uber Network Fuser in Fusion.

For an office suite I stuck with Microsoft’s Office for Mac 2011. From everything I’ve read it is the suite that sets the bar for productivity. Since Office does not include OneNote I started using EverNote but I have to keep 2 sets of notes because much of our in-house documentation is in OneNote. But that’s one of the reason I keep a Windows VM handy.

For text editing I’ve taken to Text Wrangler. I have to admit that I may have chosen differently but I wanted to start off with free apps and purchase something more powerful later if needed. It isn’t as nice as Notepad++ but it still gets the job done. I’ll probably end up purchasing something like BBedit, though.

In Windows I used IE and Chrome so I didn’t stick with Safari for very long. Nothing against Safari, but I’m sort of already vested with Chrome and that’s what I’m using now.

Tweetdeck is an app I will definitely miss. It is sort of good timing that I’m turning away from it though as the new version is horrible. To replace it I checked out a pretty much unknown client called Janetter. It is very Tweetdeck-like and provides the handy pop-up notifications without having to have Growl. I’ve heard good things about Hootsuite so I may check that out but for now Janetter is working well.

Another productivity app I’ve found is called Alfred. It’s a spotlight replacement that I’ve found works better and quicker. Hotkeys are easy to setup and it has quite a few options to configure search.

I don’t think I need to recommend CoRD. If you use RDP to connect to servers then you’re probably already using it. If you’re not then I highly recommend it.

Finally, I have been a Dropbox user for quite some time but I recently tried out Bitcasa. The premis is the same but it is in limited beta and they give you unlimited storage. The other thing I like about Bitcasa is that they allow you to pick and choose folders to “cloudify” instead of having to keep all of your Dropbox files in the same folder hierarchy. It’s a double-edged sword but so far Bitcasa is a worthy competitor.

For hardware I elected for 8GB of RAM (hope to upgrade to 16 soon) and a Seagate Momentus XT drive that I have been using for about a year in my Windows laptop. My boot times and overall performance are already way better than my Windows machine so I couldn’t imagine what it would be like with an SSD. I probably won’t go that route for a while just because I feel I have all the performance I need.

Overall I’m super happy with this MBP. I’m by no means an Apple fanboi now and I don’t foresee replacing my home desktop with an iMac but I do love this laptop and look forward to getting to know it better and becoming more productive.

Tags: Mac, OSX

Permanent link to this article: http://ecktech.me/mac-convert-what-i-use/

Jan 26 2012

VMware View 5 Persona Management Configuration

Categories:

by eck

January 26, 2012

Persona Management has come a long way in View 5. VMware acquired Persona Management from RTO software back in February 2010 and quickly promised to offer it as part of the View package. It was a difficult road and didn’t make it into View 4.6. But it has made it to View 5 and has so far been worth the wait. I won’t go into great detail as to the features specifically but I do want to post about how we were able to get it up and running in our View 5 Pilot. In under an hour we were able to get it up and running. With a couple hours of additional work we were able to get it tailored to our Pilot environment users.

Persona Management (PM) is based off of the concept of roaming profiles. The idea is that a user can jump from machine to machine (or VM to VM in the case of floating pools in VDI) and have certain data follow and be available to the user. This data could include but isn’t limited to desktop files, start menu shortcuts, and application data (such as Outlook profile and other application settings).

I’m going to make a few assumptions before we get started. My intention for this article is to help you get familiar with PM. I don’t intend for you to follow this guide to get PM snapped right into your production environment. So use some caution. Now, the first assumption is that you are using a management workstation that is Windows-based to perform the following tasks. Second is that you are somewhat familiar with Group Policy and ADM templates. If I lose you anywhere feel free to leave a comment and I’ll give more detail for any of the steps. Last, I assume you already have a functioning View 5 deployment whether in production or in a lab.

So let’s jump in. The first step is to create a repository for the PM files. The repository will most likely be a CIFS share. In our case we added a new CIFS share to our DFS infrastructure and named it Profiles.VM. Unless you have specific security requirements the folder should be shared to the Everyone group and given Full Control rights for both share and NTFS permissions. Note that when a user’s particular profile directory is created it will give that user exclusive rights to that folder so other users can’t peruse their personal data.

Now that we have the profile repository created we can start working on the Group Policy. The GPO is what tells Windows to redirect certain directories in the user’s profile to the Profiles.VM repository. To begin the GPO configuration you’ll first need the ADM template files to import into your new GPO (see more about GPO Administrative templates HERE). You can find the ADM template files located in the following directory of any View Connection Server.

<install_directory>VMwareVMware ViewServerextrasGroupPolicyFiles

You’ll see that there several ADM templates including one for PCoIP. (I won’t go into detail on those but it is easy to find info about them in the Administrator’s guide or ol’ Google). The file you’ll want is called ViewPM.adm so grab that and copy it to your workstation. Assuming you are using Windows 7 and you have RSAT installed go ahead and open the Group Policy Management console (gpmc.msc from cmd line will launch it). With the GPMC opened navigate your directory tree until you find the OU where your View desktop computer accounts reside (you did put your View desktops in their own OU, right? If you didn’t I would strongly encourage you to do so). Right-click the OU and select “Create a GPO in this domain, and Link it here…

Next, be a good admin and give your new GPO a descriptive name and hit ok. Now find your new GPO by navigating to the OU you’ve just applied it to or by looking in the All Group Policy Objects list in the GPMC. When you find it right-click on it and click Edit. Expand Computer Configuration then Policies and right-click on Administrative Templates. Click on Add/Remove Templates.

In the dialogue box that opens click the Add button and browse to the location you saved the ViewPM.adm file. Select it and click Open. You’ll see ViewPM is now in your list of ADM templates and yuou can click Close in the Add/Remove window. Expand Administrative Templates and you’ll see a new folder called Classic Administrative Templates (ADM). Within that folder you can expand out to find the PM GPO settings.

There are quite a few settings here and I am just going to go through a small portion of them but I believe it will be enough to illustrate the concepts and get you up and tuning your own GPO. For our Pilot we wanted to redirect a few folders to the Profiles.VM repository so that data would follow the user. First we need to navigate to VMware View Agent Configuration/Persona Management/Roaming & Synchronization and set the Persona Repository location, for example \fileserver01Profiles.VM%username%.

Next, we redirected the Desktop, AppData (Roaming), Favorites, History, and Recent Items. To perform the redirection locate the Folder Redirection folder – VMware View Agent Configuration/Persona Management/Folder Redirection – and double-click any of the folders in the list that you wish to redirect. Click the Enable radio button and then type in the path to the Profiles.PM repository, for example \fileserver01Profiles.VM%username%Desktop. The %username% is a variable that allows the GPO to create a folder based on the username of the person logging into the system. Once the path is entered just click Ok and rinse/repeat for each folder you wish to redirect.

Wow, that was easy, wasn’t it? The next time a user logs into a pool the GPO will work its magic and you’ll see those new PM profile folders created in your PM repository. Cool!

Sidenote – two folders will be created for each user in the Profiles.VM repository, username and username.V2. The username directory will house the PM profile for the XP-based pools while the username.V2 directory will house the PM profile for Vista and 7 pools. This is due to changes in the profile system in Windows between XP and the later Vista/7 versions.

Next I just want to provide a few other GPO settings that I used in our Pilot. Under VMware View Agent Configuration/Persona Management/Roaming & Synchronization I excluded the AppDataRoamingAdobe folder since that directory can contain update files and such that I don’t want taking up space for hundreds of users. Also in the same area, I set the Roam local settings folders to enabled to help with things like Outlook profiles. Last, just to tidy up the UI a bit I disabled the Action Center icon because it always was complaining about the update service being disabled. This setting is located under User Configuration/Policies/Administrative Templates/Start Menu and Taskbar/Remove the Action Center icon. The other setting I changed was to add the file server where the PM repository was located to the trusted zone list to eliminate Windows 7 security prompts when launching shortcuts from the user’s PM profile. This setting is located under User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List. Just enter the FQDN of your server, for example file://fileserver01.domain.local and you’ll be good to go.

This should be a fairly easy setup with the capability to tweak a lot of settings based on your specific requirements and desired user experience. There are debugging tools within this GPO as well in the Logging section to help in troubleshooting any unexpected results. I hope the long post is justified by positive results for your View 5 environment!

Resources:

VMware View 5 Administrator’s Guide
VMware View 5 Persona Management Deployment Guide
Chris Bush (@chris_bush) – Network Storage, Inc

Tags: Persona Management, View, VMware

Permanent link to this article: http://ecktech.me/vmware-view-5-persona-management-configuration/

Oct 31 2011

My Initial NetApp Thoughts

Categories:

by eck

October 31, 2011

I’ve been living in a mostly EMC Fiber Channel world for the last 5+ years both as a customer and consultant. Now, just two months after becoming a NetApp customer and going through the NCDA bootcamp I’m starting to form some opinions.

First, NetApp seems to be a solid array so far. I’ve gone from pure FC to FC/iSCSI/NFS. Considering my current environment, we’re not taxing our FAS3140′s too hard but I certainly haven’t been starved for performance. We’re running ONTAP 7.3.3 so we’re not seeing some of the VAAI gains but that will be solved with a software upgrade in the near future. The dedupe is good (although I would prefer in-line) and our arrays have just about every available license. We’re also using all the built-in backup tools for our entire backup solution (OSSV, SnapMirror, SAN Snapshots, etc). This is the first time I’ve been in an evironment that didn’t use Veeam, NetBackup, Commvault, Backup Exec, etc. in some capacity. No tapes, no 3rd party backup.

I’m absolutely still learning OnCommand and reverse engineering the previous Engineer’s design decisions but I have to say so far the DR piece of NetApp has been a royal pain in the ass. It isn’t intuitive in the least and there are too many management points (or no single pane of glass). I have to jump from screen to screen to get information and the interfaces are slow. I don’t know if the new OnCommand System Manager 2.0R1 is an improvement over 1.1 but it can be painful to click around due to the waiting.

vSphere integration is decent. I’m used to Navisphere/Unisphere but I think NetApp has done a great job with their integrations and interfaces. I like that the vSphere plugin doesn’t require an install in the vSphere client – its there just waiting for you the first time you login to vSphere. And when vSphere 5 was release they had updated versions to go with it fairly quickly.

I’m not going to get into the debate about WAFL other than just saying for file storage it actually seems like a good algorithm. I think you have to really know what you’re doing to get the block performance out of it, though. But there are many more people smarter than I who can better have the WAFL discussion.

As far as support goes, it’s on par with other vendors. I’ve called in quite a few times and most of the calls have been great. However, the one ticket I have open that is really important is regarding one of our filers that crashed and produced a core dump. It has been 12 days now and I don’t have an answer back as to why the array crashed. I’ve had to call every day to get a status update and I’m on my third support engineer. It took a week just to get the core team to review the dump. Every vendor I’ve worked with has had good and bad. But this one is really bad and unfortunately it tarnishes the rest of the good calls and overall feelings.

To recap, I feel like NetApp has a solid lineup that can compete with the Clariion, Celerra, and VNX lines. I haven’t been up the scale to the VMAX and beyond so I can’t speak to a comparison at that level. And although my heart still lives with EMC the NetApp is getting the job done. I’m learning every day and keeping a positive attitude about the differences in the technologies and methodologies.

Tags: EMC, NetApp, ONTAP, VMware

1 comment

Permanent link to this article: http://ecktech.me/initial-netapp-thoughts/

Oct 17 2011

The Cloud is Cloudy

Categories:

by eck

October 17, 2011

I’m just like so many IT folk these days who are pummeled with the pontifications of the industry regarding that “C” word. And while it is a movement I believe in I also treat it like any other facet of life and question the hell out of it. Why? How? Who? Some of us may be beyond acceptance at this point, but there are still many unanswered questions and issues in my mind.

The definition of cloud computing is debatable, but this is what I believe. True Cloud means the complete abstraction of an application or “workload” from a single or multiple points of failure. Translation, an application that runs in a cloud does not have outages due to hardware, network, or datacenter annihilation. The workload moves freely as necessary to avoid bottlenecks and downtime. It seems that many of the advanced technologies that we utilize in cloud infrastructure still depend on some of the core IT services that have been around a long time, such as DNS, and those technologies haven’t evolved much at all. The recent outages on Amazon’s EC2 and Microsoft’s 365 “Clouds” really makes me question whether or not we can get to the true cloud without some additional fundamental changes in the core infrastructure services. Or perhaps is it just as simple as improving the controls on the infrastructure – preventing a costly mistake of an admin or automated system from taking down a cloud application? Or is the OS perhaps the piece that needs to change? (I don’t know alot about PaaS yet, but I do read very interesting things about where that might be headed.)

Resiliency should be the 1st requirement of a cloud, public or private. For the sake of simplicity I’m not going to include the private cloud because I believe that, in general, this type of infrastructure is too costly and unattainable for most organizations (which is why the public cloud should be so appealing with its economies of scale). Enterprise public cloud is my focus because I see many organizations moving commodity applications to a public cloud infrastructure and continue to get hit with major outages. For example, Microsoft Office 365 has had several major outages since launching earlier this year. In fact, they seem to expect outages of up to 18 full days per year (http://www.theregister.co.uk/2011/06/30/microsoft_cloud_uptime/). Do you allow your mail system to be down that much in your own private or non-cloud infrastructure?

I definitely think we’re moving in the right direction and that we will get to the right solution. The marketing machine is moving at a blistering pace, however. I’d like to see some more talk about what today’s enterprise public cloud can’t do for you. I think we need to evaluate our unencumbered trust in the cloud and keep the innovation train moving. It is amazing to me how many great minds are out there coming up with the new technology and then also evangelizing it. I’m very excited for the future of IT – that much is for certain. I just don’t think today’s Cloud is what I had envisioned. But, hey, maybe Cloud 2.0 will be the next big thing!

This post has no tag

Permanent link to this article: http://ecktech.me/cloud-is-cloudy/

Sep 07 2011

Apparent Cisco UCS 1.4(2b) Bug

Categories:

by eck

September 7, 2011

Earlier this week I attempted to do something seemingly simple. It was actually my first production change to the UCS chassis. I added a new VLAN to the fabric and then added the VLAN to the appropriate service profiles. Upon UCSM reassociating the service profile with the blades I immediately noticed errors and warnings popping up in the UCSM.

After some head scratching and self-doubting of my UCS abilities I started up a TAC case. Luckily there was no ill-effects from these errors yet so I was optimistic that it would be some small oversight on my part and a quick fix by the TAC Engineer. What we found was that the SUP recv_q queue was quickly filling up on both fabric interconnects. According to TAC we just need to flush the queue to clear the errors and we’d be off and running. She was correct and within a few minutes we were closing the case. She strongly suggested to upgrade to 1.4(3m) or 1.4(3q) as, according to her, 1.4(2b) has been a very problematic release. I’d be interested to know if others have experienced any similar cases or general issues with 1.4(2b). I don’t have an article or documentation that this is actually a bug, that’s just what the TAC Engineer was claiming.

Here’s how we were able to flush the queue on the interconnects. It involves the debug plugin which is unsupported for use without a TAC Engineer’s involvement. The only way to get the tool (that I know of) is through a TAC Engineer and their policy is to delete it once they are done.

<code>UCS-01-B# connect nxos
UCS-01-B(nxos)# show system  internal mts buffers summary
node    sapno   recv_q  pers_q  npers_q log_q
sup     58715   209705  0       0       0
sup     1432    2       0       0       0
sup     284     0       2       0       0
sup     761     0       0       1       0
UCS-01-B(nxos)# exit
UCS-01-B# connect local-mgmt
UCS-01-B(local-mgmt)# pwd
workspace:/
UCS-01-B(local-mgmt)# ls
 1      16 Sep 09 11:51:34 2010 cores
 2    1024 May 19 13:14:49 2011 debug_plugin/
 1      31 Sep 09 11:51:34 2010 diagnostics
 2    1024 Sep 09 11:49:29 2010 lost+found/
 2    1024 Sep 06 16:56:20 2011 techsupport/
 1 2299442 Aug 09 12:10:39 2011 ucs-dplug.4.2.1.N1.1.42.gbin
Usage for workspace://
290835456 bytes total
10737664 bytes used
265081856 bytes free
UCS-01-B(local-mgmt)# copy workspace:///ucs-dplug.4.2.1.N1.1.42.gbin volatile:dplug
UCS-01-B(local-mgmt)# load-debug-plugin volatile:dplug
###############################################################
  Warning: debug-plugin is for engineering internal use only!
  For security reason, plugin image has been deleted.
###############################################################
Successfully loaded debug-plugin!!!
Linux(debug)# ps -ef | grep portAG
root      8028  4370  1 Aug09 ?        10:23:07 svc_sam_portAG --x
root      6565  6555  0 14:58 pts/1    00:00:00 grep portAG
Linux(debug)# kill 8028
Linux(debug)# ps -ef | grep portAG
root      6605  4370 27 14:59 ?        00:00:05 svc_sam_portAG --x
root      6649  6555  0 14:59 pts/1    00:00:00 grep portAG
Linux(debug)# exit
exit
UCS-01-B(local-mgmt)# exit
UCS-01-B# connect nxos
UCS-01-B(nxos)# show system  internal mts buffers summary
node    sapno   recv_q  pers_q  npers_q log_q
sup     54263   16      0       0       0
sup     1432    2       0       0       0
sup     284     0       2       0       0
sup     761     0       0       1       0</code>

Notice the recv_q size before and after the kill command. Hopefully this hasn’t affected many of you but if it has I hope you found this and it helped.

Tags: bug, Cisco, UCS