VMware VSHIELD APP 1.0.0 UPDATE 1 - API Admin Manual Download

Page: 136 / 144

vShield Administration Guide

136

VMware, Inc.

Port Id

is the first column in all other tables (Active Ports, Switch State, and Portstats) . This is a unique

identifier assigned by the vshd module for each fence-enabled port. This ID is internal and has no external
meaning. It is the dvfilter name for that port type casted to Uint64. The port ID is useful to query values for a
specific port using the fenceutil

portInfo <portId>

command which outputs details of only one port.

Active Ports

shows all the ports/vNICs where fencing is active. This includes the mirror vNICs. Your first

host has five ports enabled for fencing, two of which are mirror vNICs. The mirror vNICs can be identified by
a special fence ID of

fffffe

. The

OPI

column indicates the fence ID. In your setup, the first host has one fence

with ID

000001

. The next column indicates

LanId?

configured for that port. This is an indication of which

vSwitch the ports might be connected to. In the output below, your first host has two vSwitches (
dvswitches). One has been assigned LanId? 1 and the other one has LanId? 2. Thus, you see two mirror virtual
machine vNICs (one for each vSwitch) with different LanIds? in active ports.

Switch State

shows the learning table of the internal unicast learning in fence module. Inner MAC means

the MAC of destination VM, the outer MAC means the hostkey MAC of the host on which this VM is present.
The learning builds this table by looking at packets and it tries to learn which VM is on which host. This way,
when one VM on that host tries to reach another virtual machine, this table is looked up. If the destination
VM's mac is seen in the inner MAC column, then the OuterMac? is used as the destination hostkeymac to be
put in the Outer MAC header added by the fence module. If an entry is not found here, such a packet will be
broadcast (outer MAC header's destination MAC will be set to broadcast.). Like any other learning system, this
one also has mechanisms to time out / modify learnt entries. This will take care of things like VMs moving to
different hosts or to make sure that the table does not grow too much in size with stale mac entries. The
used/age/seen bits represent the flags used by fence module to track frequency of these MAC entries. The
learning is done on a per-port level, hence you would see the same inner MAC - outer MAC pairs on different
ports. This table also shows same hostkey mac in outer MAC sections because even for VMs on the same host,
the same code is used where a packet is encapsulated and sent from source port and decapsulated on the
destination port. There is no optimization for same host VMs. Thus for VMs on the same host, the outer MAC
will be hostkeyMAC of the same host.

Port Statistics

shows packet stats on a per port basis. One port per row. The from and To vm stats indicate

packets to and from vm. The subcategories indicate the specifics about the packet. The details of each counter
are in the following structure. Let me know if you need any more info on this.

Troubleshooting vShield Edge Issues

Virtual Machines Are Not Getting IP Addresses from the DHCP Server

To determine why protected virtual machines are not being assigned IP addresses by a vShield Edge

Verify DHCP configuration was successful on the vShield Edge by running the CLI command:

show

configuration dhcp

Check whether DHCP service is running on the vShield Edge by running CLI command:

show service

dhcp

Ensure that vmnic on virtual machine and vShield Edge is connected (

vCenter > Virtual Machine > Edit

Settings > Network Adapter > Connected/Connect at Power On

check boxes).

When both a vShield App and vShield Edge are installed on the same ESX host, disconnection of NICs
can occur if a vShield App is installed after a vShield Edge.

Load-Balancer Does Not Work

To determine why the load balancer service on a vShield Edge is not working

Verify that the Load balancer is running by running the CLI command:

show service lb

Load balancer can be started by issuing the

start

command.

Verify the load-balancer configuration by running command:

show configuration lb

This command also shows on which external interfaces the listeners are running.