How to find powerpoint slides that don’t fit the template

If you have ever copied a Powerpoint presentation from an old compay template to a new one, you will find that any slides that have been altered even slightly from the template cause a new slide layout to be added to your template – it will be give the same name as the original with the characters 1_ prefixed.  You can see what I mean by pressing Cmd+Opt+1 to open slide Master View* and hovering the mouse over the slide layout.

This means that these slides (slides 10,30 plus who knows how many others in my illustration above) are not going to reflect any change made to the original slide master – which in my illustration above was called Two Content Layout.  Often this is now a big deal, but sometime it can cause all sorts of wierd re-arrangements of layout.

I needed a way of quickly identifying which slides had been copied across and not matched the new template.  The Microsoft super-unfriendly way of hovering the mouse over the slide and hoping the list of slide numbers would appear to totally inadequate and extremely inefficient. And just sooo frustrating.

So this is what I did to find the powerpoint slides that didn’t fit the template in four simple steps:

  1. Add a marker slide to the end of the template
  2. Select ALL the layouts after the marker slide
  3. Change the slide background colour
  4. Fix your slides by re-applying the correct layout
  5. Delete the erroneous layouts

Here are the steps in detail and pictures.

Step #1. Add a marker slide to the end of the template

This picture taken from slide master view says it all

Step#2 Select ALL the layouts after the marker slide

When you paste your slides into the new presentation, PP will add all of the imported layouts at the end of the list in Slide Master view.

Use Click -> Shift-click to slelect all the extra layouts.

Step #3 Change the slide background colour

With all the extra layouts selected, right click on one of the layouts to bring up the menu, and choose Format Background – I choose a colour like pink. Don’t make the colour too bright, you won’t be able to read your slides.

Step #4 Fix your slides by re-applying the correct layout

Now with the new background colour, your slides can be easiliy identified when you return to normal view.  Unfortunately, the process of re-applying the master to each slide is still time consuming, but is probably best done one slide at a time because sometimes things don’t go as planned when the template is re-applied, especially if you have had others edit the slides who pay no attention to which layout they use.

Step #5 Delete the erroneous layouts

Once you’ve been through your slides, you can go back to the Slide Master view and select all your coloured background layouts and delete them.

RedNectar


*Windows users may have to use this trick to get quickly to Slide Master view – it works on Macos as well. Stolen from this source

Holding the SHIFT key and clicking on the Normal View icon in the lower right-hand corner of your screen will take you to the Slide Master View of your presentation

Posted in Microsoft, PowerPoint, tutorial | Leave a comment

USB-A for Apple Magic Mouse – Apple, you’ve GOT to be joking!

I have just bought a Magic Mouse 2. I bought my Mac Book Pro in 2016. The instructions in th MM2 say “To Pair you mouse with your Mac, use the Lightning to USB cable that came with your Mouse”.

However, the cable that came with my mouse is a Lightning to USB-A cable, wheras all Mac Books sold since 2016 (or thereabouts) have had USB-C (sold as Thunderbolt) ports.

I believe Apple should supply me with an appropriate cable (Lightning to USB-C) or at the very least an adapter to convert the ancient USB-A cable to USB-C.

I’ve submitted the above to Apple Feedback. But I’m not holding my breath waiting for Apple to send be a suitable cable.

How can Apple be allowed to sell periperals that are incompatible with the products that they are meant to support?

Just another case of Apple not caring about the PC world.

RedNectar

Posted in Apple, rant | Leave a comment

Configuring Link Speed on UCS 6545 10/25G ports

Configuring Link Speed on UCS 6545 Fabric Interconnects as 10/25G ports is not at all intuitive.  You would think that right-clicking on a port under Equipment > Fabric Interconncets > Fabric Interconnect A (or B) |> General would give you the option to change the links speed (it does for 40G ports, but not 10/25G ports)

So the secret is to double-click on the port to bring up the Properties window.

From here you find the Show Interface option, and once that is opened, you can find the Admin Speed setting.

Imagine calling the option “Show Interface” rather than “Configure Interface”.

RedNectar

 

Posted in Cisco, Data Center, Data Centre, Hyperflex, UCS | Tagged , | Leave a comment

ACI Inband Mangagment Route Leaking Kludge

When I was challenged with this:

Hi @RedNectar ,

Right now I have a simple contract that allows SSH only:

  • Scope set to global.
  • TCP dst 22.
  • “Both directions” and “reverse port filters” enabled.

This contract is provided by the inband EPG at the “mgmt” Tenant and exported to tenant B. EPG at Tenant B consumes the contract interface. Can’t SSH the APICs or switches from a VM in Tenant B. Am I missing something?

I realised my earlier post didn’t cover this scenario where the management workstation was in another Tenant. So here’s the update.

Much like my earlier post, you will have to create an Access Policy Chain to associate a VLAN ID with the interfaces the APICs attach to.  For my example I used VLAN 2002 and my APIC is attached to Leaf 102 & 102 on port 47.

Begin with the Access Policy Chain

Here’s how I built my access policy chain in pictures. Note that I already had Leaf Profiles and Interface Profiles built for leaf 101 & 102;

I was going to need a VLAN pool to specify my chosen VLAN – VLAN 2002, so I created one:

Fabric > Access Policies > Pools > VLAN >+ Create VLAN Pool

Name: mgmt:inb_VLAN.Pool
Allocation Mode: Static Allocation
(+) Encap Blocks:
Range: VLAN 2002VLAN 2002

The VLAN Pool needed a Physical Domain, so again…

Fabric > Access Policies > Physical and External Domains >+ Create Physical Domain

Name: mgmt:inb_PhysDom
Vlan Pool: mgmt:inb_VLAN.Pool

which needed an Attachable Access Entity Profile of course…

Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles >+ Create Attachable Access Entity Profile 

Name: mgmt:inb_AAEP
(+) Domains (VMM…Exernal) To Be Associated To Interfaces:
Domain Profile: mgmt:inb_PhysDom

I had to make sure my APICs had LLDP enabled when I made the Access Port Policy Group to link to the AAEP – I already have a suitable policy that would do that as you can see here when I created the Leaf Access Port Policy Group:

Fabric > Access Policies > Interfaces > Leaf Interfaces > Leaf Access Port >+ Create Leaf Access Port Policy Group 

Name: mgmt:APIC_APPG
LLDP Policy:  Enable_LLDP
Attached Entity Profile:  mgmt:inb_AAEP

And to finish the chain, I created interface selectors for each APIC in my existing Interface Profiles.

So that’s the Access Policy Chain done for the APICs

Configuring the mgmt teanant for inband management

Now to set up inabnd Management in mgmt tenant. Apart from the route leaking trick below, most of this is just following my earlier post where I did a more complete description. I began by adding the inband management IP to the pre-defined inb Bridge Domain.

Then created the In-Band Management EPG, which is a special EPG.

Tenants > mgmt> Node Management EPGs >+ Create In-Band Management EPG 

Name: inb_EPG
Encap:  vlan-2002
Bridge Domain:  inb

This raised an annoying problem, described in bug CSCuz59329

So I fixed it using the work around described in the bug report. In other words I created a Management Node Connectivity Group. In the process, I calso created an IP address pool for the group. I’m not sure if I really needed to create an address pool, but I did anyway.

Tenants > mgmt> Managed Node Connectivity Groups >+ Create Managed Node Connectivity Group

I then created Static Node Management Addresses. first for the APICs, which trhew up a warning that had me check (and change) the default preference for management back to oob.  And then added more static addresses for Leaves and Spines, but it’s really the APICs that matter.

Tenants > mgmt> Static Node Management Addresses >+ Create Static Node Management Addresses

Then the warning…

so I fixed that!

System > System Settings > APIC Connectivity Preference

And checked that my IP had stuck using the ifconfig bond0.2002 command (recall I allocated VLAN 2002 to inb managment)

And did a ping test to the default gateway IP to be sure:

So at last, my inband management PEG was set up. It was time to test the challenge given me, which said in part:

Right now I have a simple contract that allows SSH only:

  • Scope set to global.
  • TCP dst 22.
  • “Both directions” and “reverse port filters” enabled.

Filters and Contracts

I already had an SSH filter in the common tenant, so I created a Contract there too ready to do the test.

[Note: I later decided that the Contract would be better created in the mgmt tenant, because haveing the contract in the common tenant will allow ALL Tenants access to the inband management IP network]

Tenants > common> Contracts > Standard >+ Create Contract -> is what I did

Tenants > mgmt> Contracts > Standard >+ Create Contract -> is what I should have done

I configured the inband management EPG to Provide this contract.

But now I was stuck – I needed a tenant to consume the contract. So back to the question:

This contract is provided by the inband EPG at the “mgmt” Tenant and exported to tenant B. EPG at Tenant B consumes the contract interface.

Creating a test tenant

So I created a Tenant, and of course called it TenantB

TenantB needed a Bridge Domain and an EPG, so I created those too, making sure that I checked the Shared Beteen VRFs option for the Bridge Domain when I created the subnet for the BD.  I also created the Application Profile on the way.  I already had a host connected on the 192.168.80.0/24 subnet attached on interafce 102/1/26, so I added that host to the EPG in the process, and made sure it consumed the common/SSH.Global_Ct

Tenants > TenantB > Networking > Bridge Domains >+ Create Bridge Domain

Tenants > TenantB > Application Profiles >+ Create Application Profile

Fantasic. So now I had completed everything, but I had one little worry that I wanted to check.

Route Leaking conundrum

My worry was about route leaking.  You see, the Consumer EPG is in a different tenant and different VRF to the Provider EPG, so to make route leaking work I must do these two things:

  1. Enable the Shared Between VRFs on the Bridge Domain or EPG Subnet of the Consumer EPG (which I had done )
  2. Enable the Shared Between VRFs on the EPG Subnet of the Provider EPG which is the special mgmt tenant’s Node Mangement EPG for In-Band.

So I went looking to how I could add an EPG Subnet to the mgmt tenant’s Node Mangement EPG for In-Band. I found an option to add a subnet, so I did that, but NOWHERE was I able to click any Shared Between VRFs option.

I thought I’d check leaf 102 to see if any routes had leaked between the VRFs, and as expected, TenantB’s 192.168.80.0/24 route had leaked into the mgmt tenant, but without the ability to make the 192.168.99.0/24 subnet shared between VRFs on the EPG, TenantB’s VRF had no knowledge of the inband management subnet.

Here’s the kludge I used to fix it

I knew that what I needed to do was somehow to get the inband management IP subnet into the routing table for TenantB.  And I knew that to do that, I needed to either:

  1. Add an EPG Subnet with the shared between VRFs option set on the EPG,
  2. make the mgmt tenant become the consumer of a contract that was provided by TenantB’s EPG.  I figured this would work because I was at least able to check the shared between VRFs option on the inband management DB.

I tried option 1 first, and created an Application Profile and EPG in the mgmt tenant, added the 192.168.99.0/24 subnet and checked the shared between VRFs option, and had it also provide the common/SSH.Global_Ct contract.

And sure enough, the routing table was happy.

All that was left to do was to test the validity of the contract form TenantB’s host:

EUREKA! So they say.

But…

I didn’t like the solution.

Because what I had created was a contract in the common tenant that was provided by the inband management tenant, and could therefor be consumed BY ANY TENANT. In other words, I had allowed open access to the management network to any EPG in any tenant that cared to consume the common tenant’s SSH.Global_Ct contract. I’m sure any worthwhile security manager would have something to say about that.

To mitigate this, I considered option 2 above. Make the mgmt tenant become the consumer of a contract that was provided by TenantB’s EPG.  I tried this for fun using the same SSH.Global_Ct contract, and it worked, but didn’t mitigate the problem. Any EPG that wanted to consume the same contract would have access to the inband management subnet.  And I could see that while ever I was using a contract in the common tenant, I wassn’t going to win.

So I had to move the contract from the common tenant to the mgmt tenant, which also meant that I had to export the contract to TenantB, and then in TenantB, consume the contract as a Consumed Contract Interface. I still faced the route leaking problem, and still had to create the Application Profile + EPG + Subnet with the Shared Between VRFs option to make it work, but at least I ended up with something that I was a little happier with.

So, there you have it. That’s how you can configure inband management so a tenant can access ACI management.

RedNectar

Posted in ACI, aci inband management, ACI inband management tutorials, ACI Tutorial, Cisco | Tagged , , , | 2 Comments

Understanding Scope Of Prefixes in L3 Out External EPG in ACI —

Excellent post on unofficialaciguide – hightly recommended.

In ACI the external Routing Peer to the router is done through border leaves with a object called L3Out. L3Out has an object in it called the L3Out InstP also known as the External EPG. 1,669 more words

via Understanding Scope Of Prefixes in L3 Out External EPG in ACI —

Quote | Posted on by

Validating IP Address Entries in Excel

Problem:  You are designing a spreadsheet where IP addresses are to be entered. Probably with subnet masks as well.  You want to ensure that the IP addresses and subnet masks entered are valid.

In this series I will explain how this is done, plus a few other IP address manipulating tricks in Excel.

Validating IP Address Entries in Excel

Firstly you need to understand that you can add validation to any Excel cell  by selecting a cell then choosing Data > Validation, (in the Data Tools section of the ribbon).  In this case, use a custom criteria based on a formula.

Now come the tricky bit.  The formula has to be less than 255 characters long, and although there may be more elegant ways of expressing the formula below, I haven’t found one that uses fewer than 262 characters, so you have to choose a compromise.  Even after compromising, the formula is only good for cells that have 2 to 4 characters in the cell reference. In other words, this formula won’t work in cell A1000, or AA100 or AAA10 because the cell reference is too large and makes the formula spill over 255 characters.

Formula for validating IP addresses

The formula below is for cell C8, and has been padded with line breaks and extra spaces for readability.  This version is way past the 255 character limit, so check below for a compromise that suits you.

 

= AND(
LEN(C8)-LEN(SUBSTITUTE(C8,".","")) = 3,
--LEFT(C8,FIND(".",C8)-1) < 224,
--LEFT(C8,FIND(".",C8)-1) > 0,
--MID(SUBSTITUTE(C8,".","    "),6,5) < 256,
--MID(SUBSTITUTE(C8,".","      "),15,7) < 256,
--MID(SUBSTITUTE(C8,".","      "),22,10) < 256,
ISNUMBER(--SUBSTITUTE(C8,".",""))
)

And this is how it works:

The AND function is to ensure all the following conditions are met.  The first condition checks to see if there are precisely three “dots” in the IP address by replacing the “.” characters with null strings i.e SUBSTITUTE(C8,”.”,””). If there are just three  “.” characters then the resulting string will be three characters shorter than the whole string with the “dots” included:

LEN(C8)-LEN(SUBSTITUTE(C8,".","")) = 3,

The next condition is to check that the first octet is less than 224 (if you wished to allow multicast addresses, you would check that the first octet is less than 240). So simply extract the characters to the left of the first dot FIND(“.”,C8)-1 and check that the result is less than 224.

--LEFT(C8,FIND(".",C8)-1) < 224

But hold on – what are those two minus signs doing before the LEFT function?

Well, the problem is that the LEFT returns a string value, and if you compare a sting value with a numeric value like 224, the string value will always be larger, so in Excel, a test of:

="1"<224

will always yield a result of FALSE

However, if you perform a numeric operation on the string, like adding zero, or finding the negative value of the string, Excel automagically transforms the string into a number. So, in the case above, the double negative is used to turn the string result into a numeric result so that the comparison works the way you expect.  If the double negative worries you, add a 0 to the result  instead. So instead of –LEFT(C8,FIND(“.”,C8)-1) < 224 use:

0 + LEFT(C8,FIND(".",C8)-1) < 224

and you will get the same result. And it uses the same number of characters.

The next comparison is exactly the same as the previous, except it is checking that the first octet of the IP address is larger than zero.

--LEFT(C8,FIND(".",C8)-1) > 0

So that takes care of the first octet, which we extracted by using the LEFT() function.  But to extract the second and subsequent octets requires a but more lateral thinking.

You could try and extract the second octet by looking for the text between the first and second dots. Which is how we mentally do it. But in Excel this would be the mind-blowingly complicated:

=--LEFT(MID(C8,FIND(".",C8)+1,4),FIND(".",MID(C8,FIND(".",C8)+1,4))-1)

and which would chew up far too many of our precious 255 character limit.

But a far more elegant way (the basic idea for which I stole from one of the references below, many of them use a similar approach) is to expand the ip address into sections by replacing the dots with a number of spaces (four in this case), and then extracting that portion of the string where the second octect must reside.

The SUBSTITUTE(C8,”.”,”    “) part takes care of replacing the dots with four spaces. So IP addresses of 1.2.3.4 and 123.145.167.189 get expanded to (using the ∙ character to represent spaces to make them easier to count):

1∙∙∙∙2∙∙∙∙3∙∙∙∙4
123∙∙∙∙145∙∙∙∙167∙∙∙∙189
123456789-123456789-12345

and if you now extract 5 digits from this string beginning with digit 6, MID(SUBSTITUTE(C8,”.”,”    “),6,5) you will get either 2∙∙∙∙ or ∙∙145.  Using the double-negative trick again turns either of these results into a number that can be checked to ensure it is less than 256, which is the condition that must be met for octets 2-4.

Moving onto the third octet, the logic is almost identical, except more spaces need to be inserted – six in fact.  (The only reason 4 spaces were used for octet 2 was to save 2 characters out of our limited budget). And this time 7 digits are extracted starting with digit 15.

1∙∙∙∙∙∙2∙∙∙∙∙∙3∙∙∙∙∙∙4
123∙∙∙∙∙∙145∙∙∙∙∙∙167∙∙∙∙∙∙189
123456789-123456789-123456789-

And for the final octet, one more subtle change takes place.  Some of the references I’ve read extract the next nine digits from the above to determine the last octet – but that fails if you enter 4 digits in the last octet, so to be sure to catch the condition where someone types 123.145.167.1891 the final check extracts 10 digits beginning with digit 22.

1∙∙∙∙∙∙2∙∙∙∙∙∙3∙∙∙∙∙∙4
123∙∙∙∙∙∙145∙∙∙∙∙∙167∙∙∙∙∙∙1891
123456789-123456789-123456789-1

The last condition is to check that no additional spaces or operators have been inserted ISNUMBER(–SUBSTITUTE(C8,”.”,””)). This helps ensures that no-one writes an IP address with negative numbers such as 1.2.3.-4.  However it is not foolproof.  An IP address of say 1.2.-1.2 will be converted to the string “12-12” which Excel with all its smarts sees a number. What number you say? Well, here’s a hint: 12-12 will be seen as 43811 in 2019, and as 44177 in 2020. Got it? 12-12 is seen as 12 December of the current year.

Choose your crutch – which condidtion do you want to remove?

Remember I mentioned that the solution is too long? Here it is again as a reminder, in a slightly different order:

= AND(
LEN(C8)-LEN(SUBSTITUTE(C8,".","")) = 3,
--LEFT(C8,FIND(".",C8)-1) > 0,
ISNUMBER(--SUBSTITUTE(C8,".","")),
--LEFT(C8,FIND(".",C8)-1) < 224, 
--MID(SUBSTITUTE(C8,".","    "),6,5) < 256,
--MID(SUBSTITUTE(C8,".","      "),15,7) < 256,
--MID(SUBSTITUTE(C8,".","      "),22,10) < 256
)

To use the formula as a validation criteria, you have remove something to bring it below the 255 character limit.

Compromise#1: Ignore more than three dots

If you remove the first condition (LEN(C8)-LEN(SUBSTITUTE(C8,”.”,””)) = 3) then not only will you will be able to enter IP addresses that end in a training dot, you’ll be able to enter addresses like 1.2.3.4…5.6.7.8.  As shown below though, you COULD catch this with conditional formatting, and do something about it, such as highlighting the cell in red.

Here’s a cut & pastable version of the testing validation criteria:

=AND(--LEFT(C8,FIND(".",C8)-1)<224,--LEFT(C8,FIND(".",C8)-1)>0,ISNUMBER(--SUBSTITUTE(C8,".","")),--MID(SUBSTITUTE(C8,"."," "),6,5)<256,--MID(SUBSTITUTE(C8,"."," "),15,7)<256,--MID(SUBSTITUTE(C8,"."," "),22,10)<256)

Compromise#2: Allow zeros and negatives

If you remove the second condition (–LEFT(C8,FIND(“.”,C8)-1) > 0) then not only will you allow IP addresses beginning with 0, but also negative addresses in the first octet. (The ISNUMBER(–SUBSTITUTE(C8,”.”,””)) condition attempts to take care of negatives in the other octets).  Personally, I’d remove this condition before removing the check for 3 dots.

Here’s a cut & pastable version of the testing validation criteria without the test for the first octet being greater than 0.

=AND(LEN(C8)-LEN(SUBSTITUTE(C8,".",""))=3,--LEFT(C8,FIND(".",C8)-1)<224,ISNUMBER(--SUBSTITUTE(C8,".","")),--MID(SUBSTITUTE(C8,"."," "),6,5)<256,--MID(SUBSTITUTE(C8,"."," "),15,7)<256,--MID(SUBSTITUTE(C8,"."," "),22,10)<256)

Compromise#3: Allow spaces and negative octets

If you remove the condition (ISNUMBER(–SUBSTITUTE(C8,”.”,””))) then you can insert spaces into the IP address, which probably doesn’t matter much.  It will also allow negative octets too, although even with the test some negatives get interpreted as dates anyway.  I see this as the least useful test, and is my preferred test to omit.

And of course, in cut and pastable form:

=AND(LEN(C8)-LEN(SUBSTITUTE(C8,".",""))=3,--LEFT(C8,FIND(".",C8)-1)<224,--LEFT(C8,FIND(".",C8)-1)>0,--MID(SUBSTITUTE(C8,"."," "),6,5)<256,--MID(SUBSTITUTE(C8,"."," "),15,7)<256,--MID(SUBSTITUTE(C8,"."," "),22,10)<256)

So there you have it, data validation for IP addresses in a single cell.  Next time I’ll show to validate subnet masks that can only contain the values 255,254,252,224,192,128 and 0 in any octet.

RedNectar

References:

https://www.excelforum.com/excel-formulas-and-functions/1100653-ip-address-conversion-formula.html

This is the one that got me started – Glenn Kennedy’s answer to an IP Address conversion formula

https://www.excelforum.com/excel-formulas-and-functions/1100653-ip-address-conversion-formula.html and https://www.pcreview.co.uk/threads/ip-address-validation.3651179/

Both these sites have Ron Rosenfield’s validation for cell I1 as

=AND(--LEFT(I1,FIND(".",I1)-1)<256,
--(MID(SUBSTITUTE(I1,".",REPT(" ",99)),99,99))<256,
--(MID(SUBSTITUTE(I1,".",REPT(" ",99)),198,99))<256,
--TRIM(RIGHT(SUBSTITUTE(I1,".",REPT(" ",99)),99))<256)

but this has too many false positives. For instance, it would allow an IP address of 244.244.244.244 which is invalid.

https://www.excelforum.com/excel-formulas-and-functions/1253877-subnetting-validation.html

Apart from the fact that it didn’t test the last octet for values greater than 255, XOR LX‘s suggestion of:

=SUMPRODUCT(N(LOG(1+MID(SUBSTITUTE(B1,".",REPT(" ",10)),{1,11,21,31},10),2)<=8))

was interesting, but a) you can’t use SUMPRODUCT in cell Validation criteria, b) when expanded to make it work takes more characters than the solution I’ve used and c) was missing the compaison criteria.  It should have been:

=SUMPRODUCT(N(LOG(1+MID(SUBSTITUTE(B1,".",REPT(" ",10)),{1,11,21,31},10),2)<=8))=4

It was interesting because it made use of the fact that the log base 2 of 256 is 8, and less than 8 for any number less than 256.  The SUMPROUCT counts the number of octets that have a log base 2 equal to or less than 8, which of course should be 4.

 

 

Posted in GNS3 WorkBench | Tagged , , , , | 1 Comment

Seven things to know to make Hyperflex go – Cisco HyperFlex Best Practices

You have Cisco Hyperflex installed, but not quite sure if there is anything you need to do differently now that want to deploy VMs on the Hyperflex Data Platform (HXDP)

Well, yes there are some things that you need to do differently, and some you should do differently, but most activities you’ve ever done with VMs and ESXi hosts will remain the same.

Here are the seven things you need to know to make Hyperflex perform optimally.

Create new users for the HX Connect GUI from vCenter (Must Do)

Create Datastores using the HXDP utilities, not vCenter standard Datastore creation (Must Do)

Create Snapshots using the HXDP utilities, not vCenter standard Snapshot function (Must Do)

Create multiple Clones using the HXDP utilities (Should Do)

Use HXDP Maintenance Mode, not vCenter standard Maintenance Mode (Must Do)

Upgrade ESXi software using HX Connect or Intersight, not vCenter (Must Do)

Create new VLANs using the HX Installer VM (Should Do)

Create new users for the HX Connect GUI from vCenter (Must Do)

There is a default admin user that can be used to log into the HX Connect GUI, but best practice is to use your vCenter username and password.  If you want to add a read-only or another administrator user for Hyperflex, use the regular method for creating a user in vCenter.

Create Datastores using the HXDP utilities, not vCenter standard Datastore creation (Must Do)

Before you can even begin to use Hyperflex, you must create a Datastore on your HXDP.  Since you will only do this rarely, it is an easy point to forget, which can lead to frustration if you try to do this using the normal Datastore creation method from vCenter, because vCenter will want to assign the Datastore to a single ESXi host, whereas the HX Datastore will be distributed across all HX ESXi storage nodes. In other words, you can’t create a Datastore on your HXDP using the normal Datastore creation method from vCenter.  Creating a HX Datastore can only be done in one of two ways, using Hyperflex Connect (easy) or the vCenter plugin (messy).

Method #1: Using HX Connect:

Click Datastores and then Create Datastore (I said it was easy)

Figure 1 Creating a Datastore in Hyperflex Connect is easy

DaraCenterCreation-HXConnect

Method #2: Using vCenter:

Navigate to Global Inventory Lists > Cisco HX Data Platform.  Next, select your cluster in the Navigator then click on the Manage tab. From here, click on the Datastores sub-tab where you will find an icon that will let you create a Datastore.

Figure 2 Creating a Datastore in vCenter is messy

DaraCenterCreation-vCenter

Create Snapshots using the HXDP utilities, not vCenter standard Snapshot function (Must Do)

This one is a bit tricky.  When you create the first Snapshot in one of the two HXDP methods, a special SENTINAL snapshot is created.  This ensures that any future snapshots can trace their pointer-based log-structured file system origins back to the original format.  IF YOU CREATE THE FIRST SNAPSHOT using the VMware standard Snapshot functions, then you are stuck with the VMware Re-do snapshot system and will be stuck with the non-HX aware consolidation process should you wish to consolidate in the future.


The VMware Re-do snapshot system works like this:  The first snapshot is made, and the .vmdk file for that VM is locked. A new .vmdk file is created to record any changes that are made after the original snapshot is made. Similarly, when the next snapshot is made, the second .vmdk file for that VM is locked and a new one created, and so on.  The problem with this method is that not so much that no data is ever deleted, and the size of the snapshot re-do files may become far greater than the original, but that if you find that you need to reclaim the space, VMware now has to revert to the original snapshot and process the Re-do files.  This process can take minutes, hours or even days depending on the size and complexity of the Re-do files – and there is a possibility that the process may exhaust your existing disk space before completion (after all, you are probably doing the consolidation to reclaim some space).

Hyperflex consolidation works like this:  All the pointer-based snapshots are deleted in a matter of seconds, and the redundant chunks of data marked for deletion. Job done. In seconds. And no chance of running out of disk space.

Moral of this story: Use Hyperflex pointer-based snapshots for the first snapshot for all VMs.  And to ensure this happens, why not take the approach of using Hyperflex pointer-based snapshots for all snapshots?


Here are the two ways of creating HXDP pointer-based snapshots:

Method #1: Using HX Connect:

Click Virtual Machines and then from the Actions menu, select Snapshot Now

Figure 3 Creating Snapshots in Hyperflex Connect

Snapshots-HXConnect

Method #2: Using vCenter (must be Flash version of vCenter, not HTML):

Navigate to Global Inventory Lists > Cisco HX Data Platform.  Next, select your cluster in the Navigator then click on the Manage tab. From here, click on the Datastores sub-tab where you will find an icon that will let you create a Datastore.

Figure 4 When creating HXDP Snapshots in vCenter you need to be careful

Snapshots-vCenter

Create multiple Clones using the HXDP utilities (Should Do)

If you want to create one clone of a VM, it does not matter whether you use the standard VMware cloning option or the HXDP Ready Clones option.  The main thing to remember is that to take advantage of the Hyperflex pointer-based log-structured file system’s inherent de-duplication, you must make sure that the VM you are cloning does not have any VMware Redo snapshots – only HXDP pointer-based snapshots.  However, when you use the HXDP Ready Clones option, you’ll be able to create as many clones as you want without taking any extra disk space because of the Hyperflex pointer-based log-structured file system’s inherent de-duplication.  One thing though, if you want to use Customisation Specifications or Resource Pools, you’ll have to have already created them in vCenter.

Figure 5 Creating HXDP Ready Clones in HC Connect

ReadyClones-HXConnect

Figure 6 Creating HXDP Ready Clones in vCenter

ReadyClones-vCenter

Use HXDP Maintenance Mode, not vCenter standard Maintenance Mode (Must Do)

Should you ever need to shut down an ESXi storage host (and you will need to sometime), make sure you use the HXDP Maintenance Mode, not vCenter standard Maintenance Mode. The difference is this:  When you shut down an ESXi storage host using the HXDP Maintenance Mode, the HXDP Controller VM will be shut down cleanly, and the other ESXi hosts will be informed that the HXDP Controller VM for that host is no longer available. To understand the re-percussions of this, you need to be aware of how the HX IOVisor works (which I hope will be the subject of a future blog post).  When you use the standard VMware Maintenance mode, VMware doesn’t know that the HXDP Controller VM needs to be shut down gracefully and the other ESXi hosts need to be informed that the HXDP Controller VM for that host is no longer available, so shuts down the ESXi host regardless.  Now, the HXDP will recover for this mis-hap in time (in most cases), but it is certainly NOT “best practice”

Figure 7 Entering HXDP Maintenance Mode using HX Connect

HXDPMaintenceMode-HXConnnect

Figure 8 Entering HXDP Maintenance Mode using HXDP extensions in vCenter

HXDPMaintenceMode-vCenter

Upgrade ESXi software using HX Connect or Intersight, not vCenter (Must Do)

When the ESXi software needs to be upgraded, remember the ESXi software on your HXDP hosts has been modified by the addition of the IOVisor and the VAAI .vibs (VMware Installation Binaries), so upgrading the ESXi hosts is NOT a simple matter of upgrading using VMware’s released version – you need the ESXi versions released by Cisco with the appropriate .vibs installed.  The simplest way to do this is to make sure you do the upgrades using Hyperflex Connect, or better still (if you have more than one site) Cisco’s Intersight SaaS platform (https://intersight.com) which can upgrade multiple HXDP sites in a single click! (Pause while I sip come more Kool-Aid). BTW, even if you have only one site, you should still connect your cluster to Intersight, but I’ll talk about that in a future post.

Figure 8 Upgrading using HX Connect

Upgrade

Create new VLANs using the HX Installer VM (Should Do)

If you even need a new VLAN on the HX data platform, you need to make sure that VLAN is available to each ESXi host and each Fabric Interconnect, and your upstream switches.  Since Hyperflex was designed to run on ROBO versions of VMware and above, standard vSwitches are maintained in each ESXi host, so Cisco has provided a utility that allows you to quickly create a new VLAN on all hosts plus the Fabric Interconnects in one step, a task that is quite tedious if you are not using vSphere Distributed Switches.  Of course, if you have a version of VMware that supports VMware VDS, you probably won’t want to use this feature (because it configures Standards vSwitches, not vSphere Distributed Switches).  You’ll be prompted to enter usernames and passwords for UCSManager, vCenter and the ESXi Hosts, so it is a bit tedious, but simpler and safer than adding the VLANs manually to each ESXi host and the FIs.  Here’s a sample session adding one VLAN – in this case it was a stretched cluster, so the VLANs were added to six hosts and four Fabric Interconnects in one hit!

root@HyperFlex-Installer:~# post_install --vlan
Logging in to controller 198.51.100.10
HX CVM admin password: **************
Getting ESX hosts from HX cluster...
vCenter URL: 198.51.100.100
Enter vCenter username (user@domain): administrator@vsphere.local
vCenter Password: **************
Found datacenter HX-DC
Found cluster HXCLUS01

post_install to be run for the following hosts:
 sitea-esxi01.mynet.local
 sitea-esxi02.mynet.local
 sitea-esxi03.mynet.local
 siteb-esxi01.mynet.local
 siteb-esxi02.mynet.local
 siteb-esxi03.mynet.local


 Enter ESX root password: **************
 Attempting to find UCSM IP
Site A - UCSM IP: 198.51.100.9
Site A - UCSM Username: admin
Site A - UCSM Password: **************
Site A - HX UCS Sub Organization: HX
Site B - UCSM IP: 198.51.100.109
Site B - UCSM Username: admin
Site B - UCSM Password: **************
Site B - HX UCS Sub Organization: HX
 Port Group Name to add (VLAN ID will be appended to the name): TestVLAN
 VLAN ID: (0-4096) 104
 Adding VLAN 104 to FI
 Adding VLAN 104 to vm-network-a VNIC template
 Adding VLAN 104 to FI
 Adding VLAN 104 to vm-network-a VNIC template
Adding TestVLAN-104 to sitea-esxi01.mynet.local
Adding TestVLAN-104 to sitea-esxi02.mynet.local
Adding TestVLAN-104 to sitea-esxi03.mynet.local
Adding TestVLAN-104 to siteb-esxi01.mynet.local
Adding TestVLAN-104 to siteb-esxi02.mynet.local
Adding TestVLAN-104 to siteb-esxi03.mynet.local
Add additional VM network VLANs? (y/n) n
Posted in Best Preactices, Cisco, Data Center, Data Centre, ESXi, Hyperflex, VMware | Tagged , , , | 2 Comments