h14033-emc-vplex-witness-deployment-within-vmware-vcloud-air-wp
h14033-emc-vplex-witness-deployment-within-vmware-vcloud-air-wp
h14033-emc-vplex-witness-deployment-within-vmware-vcloud-air-wp
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
White Paper<br />
EMC VPLEX WITNESS DEPLOYMENT<br />
WITHIN VMWARE VCLOUD AIR<br />
Abstract<br />
This white paper provides a summary and an<br />
example of deploying VPLEX Witness in a public<br />
cloud based virtual data center. In particular, the<br />
rationale for VPLEX Witness <strong>within</strong> VMware vCloud Air<br />
and sample <strong>deployment</strong> steps are provided.
Copyright © 2015 EMC Corporation. All Rights Reserved.<br />
EMC believes the information in this publication is accurate of its publication<br />
date. The information is subject to change without notice.<br />
The information in this publication is provided “as is”. EMC Corporation makes no<br />
representations or warranties of any kind with respect to the information in this<br />
publication, and specifically disclaims implied warranties of merchantability or<br />
fitness for a particular purpose.<br />
Use, copying, and distribution of any EMC software described in this publication<br />
requires an applicable software license.<br />
For the most up-to-date listing of EMC product names, see EMC Corporation<br />
Trademarks on EMC.com.<br />
All other trademarks used herein are the property of their respective owners.<br />
Part Number H14033<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
2
Table of Contents<br />
Executive summary ....................................................................................................... 4<br />
Support Statement ......................................................................................................... 4<br />
Audience ........................................................................................................................ 5<br />
Introduction .................................................................................................................... 6<br />
Why is VPLEX Witness critical? ................................................................................... 6<br />
VPLEX Witness Deployment Requires a 3 rd Fault Domain ..................................... 7<br />
EMC Delivery and Service Offerings ........................................................................ 8<br />
VPLEX Witness Virtual Machine Installation Requirements .................................... 8<br />
Securing Your IP Management Network When Using Public Cloud ................... 8<br />
Host and Networking Requirements for VPLEX Witness ......................................... 9<br />
Deployment Example: VMware vCloud Air ............................................................... 11<br />
Conclusion .................................................................................................................... 22<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
3
Executive summary<br />
For several years, businesses have relied on traditional physical storage to meet their<br />
information needs. Developments such as sever virtualization and the growth of<br />
multiple sites throughout a businesses’ network have placed new demands on how<br />
storage is managed and how information is accessed.<br />
To keep pace with these new requirements, storage must evolve to deliver new<br />
methods of freeing data from a physical device. Storage must be able to connect<br />
to virtual environments and still provide automation, integration with existing<br />
infrastructure, consumption on demand, cost efficiency, availability, and security.<br />
The EMC® VPLEX family is the next generation solution for information mobility and<br />
access <strong>within</strong>, across, and between physical or virtual data centers. It is the first<br />
platform that delivers both Local and Distributed storage Federation.<br />
• Local Federation provides the transparent cooperation of physical elements<br />
<strong>within</strong> a site.<br />
• Distributed Federation extends access between two locations across distance.<br />
VPLEX is a solution for federation both EMC and non-EMC storage.<br />
VPLEX completely changes the way IT is managed and delivered – particularly when<br />
deployed with server virtualization. By enabling new models for operating and<br />
managing IT, resources can be federated – pooled and made to cooperate through<br />
the stack—with the ability to dynamically move applications and data across<br />
geographies and service providers. The VPLEX family breaks down technology silos<br />
and enables IT to be delivered as a service.<br />
VPLEX Metro requires VPLEX Witness in order to deliver continuously availability across<br />
data centers. VPLEX Witness requires a 3 rd fault domain for <strong>deployment</strong>, but some<br />
customers do not have a 3 rd fault domain available to them. One solution to this<br />
challenge is to leverage public cloud virtual datacenters to provide the 3 rd fault<br />
domain. This whitepaper outlines an example <strong>deployment</strong> of VPLEX Witness using<br />
VMware vCloud Air.<br />
Support Statement<br />
For the most up to date information on VPLEX Metro and the applications it supports,<br />
please refer to the VPLEX EMC Simple Support Matrix located on support.<strong>emc</strong>.com.<br />
This white paper is based on the systems architecture of EMC VPLEX Metro and VMware<br />
vCloud Air.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
4
Audience<br />
• EMC Pre-Sales Organization for outlining and describing the architecture<br />
for their customers prior to purchase.<br />
• EMC Global Services Application Support for effectively introducing the<br />
product into the environment and assuring that the implementation is<br />
specifically oriented to the customers’ needs and negates any possible<br />
DU/DL and/or application failure or misunderstanding of such failures.<br />
• EMC customers interested in deploying VPLEX Witness or have deployed<br />
VPLEX and need a solid understanding of how VPLEX Metro benefits from<br />
VPLEX Witness.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
5
Introduction<br />
EMC VPLEX Metro uses a cluster guidance mechanism known as VPLEX Witness to provide<br />
continuous availability in the event of a site failure. Using VPLEX Witness ensures that Continuous<br />
Availability can be delivered by VPLEX Metro. Continuous Availability means that regardless of site<br />
or link/WAN failures; data will automatically remain online in at least one of the locations. The<br />
challenge for some VPLEX Metro customers is providing a physically isolated site to use as a 3 rd fault<br />
domain. Here is where public cloud providers can be leveraged to solve this problem. Since<br />
VPLEX Witness is a virtual machine it can easily be deployed <strong>within</strong> a public cloud that is up to<br />
1000ms away from each of the two primary VPLEX sites.<br />
Why is VPLEX Witness critical?<br />
When setting up a single or a group of distributed volumes preference rules are configured. It is<br />
the preference rule that determines the outcome after failure conditions such as site failure or dual<br />
WAN link partition. The preference rule can either be set to Site A preferred, Site B preferred or no<br />
automatic winner for each distributed volume and/or group of distributed volumes.<br />
Overall, the following effects to a single or group of distributed volumes can be observed under<br />
each of the failure conditions list in Table 1:<br />
Preference Rule /<br />
scenario<br />
Cluster A Preferred<br />
Cluster B preferred<br />
No automatic<br />
winner<br />
VPLEX CLUSTER PARTITION SITE A FAILS SITE B FAILS<br />
Site A Site B Site A Site B Site A Site B<br />
ONLINE SUSPENDED FAILED SUSPENDED ONLINE FAILED<br />
GOOD BAD (by design) GOOD<br />
SUSPENDED ONLINE FAILED ONLINE SUSPENDED FAILED<br />
GOOD GOOD BAD (by design)<br />
SUSPENDED (by design) SUSPENDED (by design) SUSPENDED (by design)<br />
Table 1 Failure scenarios without VPLEX Witness<br />
Table 1 shows that with the use of just preference rules (without VPLEX Witness) then under some<br />
scenarios manual intervention would be required to bring the VPLEX volume online at a given<br />
VPLEX cluster (For example, if Site A is the preferred site, and Site A fails, Site B would also suspend).<br />
This is why VPLEX Witness matters so much – it can dramatically improve the situation. It can better<br />
diagnose failures as the independent fault domain isolation and network triangulation ensure that<br />
Witness can provide guidance to each of the clusters. This allows VPLEX Metro to provide an<br />
active path to the data in both the dual WAN partition and full site loss scenarios as shown in Table<br />
2:<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
6
Preference Rule<br />
Cluster A Preferred<br />
Cluster B preferred<br />
No automatic<br />
winner<br />
VPLEX CLUSTER PARTITION SITE A FAILS SITE B FAILS<br />
Site A Site B Site A Site B Site A Site B<br />
ONLINE SUSPENDED FAILED ONLINE ONLINE FAILED<br />
GOOD GOOD GOOD<br />
SUSPENDED ONLINE FAILED ONLINE ONLINE FAILED<br />
GOOD GOOD GOOD<br />
SUSPENDED (by design) SUSPENDED (by design) SUSPENDED (by design)<br />
Table 2 Failure scenarios with VPLEX Witness<br />
Table 2 Shows the results when VPLEX Witness is deployed -- failure scenarios become selfmanaging<br />
(i.e. fully automatic).<br />
VPLEX Witness Deployment Requires a 3 rd Fault Domain<br />
VPLEX Witness must be deployed <strong>within</strong> an independent failure domain so that it is isolated from<br />
events <strong>within</strong> either of the other two VPLEX clusters that form VPLEX Metro. What is an independent<br />
failure domain? It’s a domain that does not share any resources with another domain. In short, it<br />
needs to operate independently from the domains it is monitoring. The third site in our example is<br />
the public cloud provided by VMware vCloud Air.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
7
EMC Delivery and Service Offerings<br />
EMC offers standard delivery and professional services to provide Public Cloud based VPLEX<br />
Witness <strong>deployment</strong>. These are not net new offerings, but rather variations on what EMC already<br />
provided for installation options. Customers will have to still supply information for services to<br />
complete installation as if it were installed on customer premises.<br />
VPLEX Witness Virtual Machine Installation Requirements<br />
The Cluster Witness Server is a Linux process that runs in a SLES 11 (64-bit) guest OS VM. The VM is<br />
packaged as an Open Virtualization Format Archive (OVA) and installation follow the standard<br />
OVA <strong>deployment</strong> workflow <strong>within</strong> vSphere Web Client or vSphere Desktop Client. Since VPLEX<br />
Witness is a virtual machine it can be hosted by a Public Cloud provider and then connected to<br />
each of the two VPLEX Metro sites using a VPN connection. It requires a publicly accessible IP<br />
address (for example, using SNAT/DNAT rules + a public edge gateway IP) and an IP network<br />
connection to the VPLEX management server at each site.<br />
Securing Your IP Management Network When Using Public Cloud<br />
Does opening up a port to the cloud based <strong>witness</strong> pose a threat? Certainly any ports open in a<br />
firewall can be exploited if a weakness or credentials are leaked. To bolster security and reduce<br />
your risk, it is recommended that a secondary perimeter be setup around the VPLEX management<br />
servers to prevent the possibility of anyone using it to hop onto other management resources. See<br />
the EMC VPLEX Security Configuration Guide for port usage and work with your IP network team to<br />
ensure that the secondary perimeter around the VPLEX management servers properly secure your<br />
resources.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
8
Host and Networking Requirements for VPLEX Witness<br />
Server host requirements<br />
SERVER HOST<br />
REQUIREMENT<br />
Host hardware<br />
CPU utilization<br />
RAM utilization<br />
Hard disk storage utilization<br />
Network interface card<br />
Network adapter<br />
Network addresses<br />
Power<br />
BIOS<br />
Security<br />
DESCRIPTION<br />
Refer to the ESSM for a list of supported ESX versions.<br />
To ensure a trouble free installation of ESX:<br />
Verify the hardware is compliant as described in the Hardware Compatibility Guide.<br />
(http://www.<strong>vmware</strong>.com/resources/compatibility/search.php) including:<br />
System compatibility<br />
I/O compatibility (Network and HBA cards)<br />
Storage compatibility<br />
Backup software compatibility<br />
Install and run only on servers with 64 bit x86 CPUs.<br />
NOTE: 32-bit no longer supported<br />
Verify Intel Virtualization Technology (VT) is enabled in the host's BIOS.<br />
NOTE: VPLEX Witness VM is not supported on VMware Server, VMware Player, VMware Fusion, or<br />
VMware Workstation.<br />
Allocate one vCPU for the Cluster Witness Server guest VM.<br />
Allocate 512MB for the Cluster Witness Server guest VM.<br />
Allocate 2.5GB of storage space for Cluster Witness Server guest VM. If deploying on VMware-FT, the<br />
storage must be visible to all hosts in the VMware cluster.<br />
1 GigE NIC with one Ethernet port connected to the IP management network.<br />
It must be possible to allocate two Virtual Network Adapters for use by Cluster Witness Server guest VM.<br />
Host must be configured with a static IP address on a public network.<br />
Host must be connected to a UPS (Uninterruptible Power Source) to protect against power outages.<br />
Host should enable BIOS Virtualization Technology (VT) extension in the BIOS.<br />
This ensures proper functionality and performance of the Cluster Witness Server VM.<br />
Access to the Cluster Witness Server host (the ESX Server) must be secured via a password (assigned<br />
and configured by the customer).<br />
Networking requirements<br />
The VPLEX Witness virtual machine must be connected to the same IP management network that<br />
provides inter-cluster management connectivity at VPLEX Site1 and VPLEX Site2.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
9
NETWORK<br />
REQUIREMENT<br />
High Availability<br />
Accessibility<br />
Bandwidth<br />
MTU<br />
Latency<br />
DESCRIPTION/DETAILS<br />
The IP Management network for the Cluster Witness Server must use physically separate networking equipment<br />
from either of the inter-cluster networks used by VPLEX.<br />
CAUTION: Failure to meet this <strong>deployment</strong> requirement significantly increases the risk of Data Unavailability in the<br />
event of simultaneous loss of inter-cluster connectivity as well as connectivity with the Cluster Witness Server.<br />
Static IP addresses must be assigned to the public ports on each management server (eth3) and the public port in<br />
the Cluster Witness Server VM (eth0).<br />
If these IP addresses are in different subnets, the IP Management network must be able to route packets between<br />
all such subnets.<br />
To confirm connectivity between subnets:<br />
Use the ping -I eth3 cws-public-ip-address command from either of the management servers to the public IP<br />
address of the Cluster Witness Server. Note: -I flag uses the uppercase letter i.<br />
Firewall configuration settings in the IP Management network must not prevent the creation of IPsec tunnels.<br />
VPLEX Witness traffic as well as VPLEX management traffic use VPN tunnels established on top of IPsec.<br />
The following protocols must not be filtered in either the inbound or outbound direction:<br />
Authentication Header (AH): IP protocol number 51<br />
Encapsulating Security Payload (ESP): IP protocol number 50<br />
The following ports must be open on the firewall<br />
Internet Key Exchange (IKE): UDP port 500<br />
NAT Traversal in the IKE (IPsec NAT-T): UDP port 4500<br />
The IP Management network must be capable of transferring SSH traffic between management servers and Cluster<br />
Witness Server.<br />
The following ports must be open on the firewall and not filtered in either incoming or outgoing direction:<br />
Secure Shell (SSH): TCP port 22<br />
Domain Name Service (DNS): UDP port 53<br />
Ensure that both outgoing and incoming traffic for UDP port 53 (DNS) is allowed for the network where ESX host<br />
with Cluster Witness Server VM is deployed.<br />
The IP Management network must not be able to route to the following reserved VPLEX subnets:<br />
128.221.252.0/24<br />
128.221.253.0/24<br />
128.221.254.0/24<br />
IMPORTANT: If any of these networks are accessible from the public IP management network, contact EMC<br />
Customer Support.<br />
If VPLEX is deployed with an IP inter-cluster network, the inter-cluster network must not be able to route to the<br />
following reserved VPLEX subnets:<br />
128.221.252.0/24<br />
128.221.253.0/24<br />
128.221.254.0/24<br />
IMPORTANT: If any of these networks are accessible from the public IP management network, contact EMC<br />
Customer Support.<br />
A typical VPLEX Witness <strong>deployment</strong> generates 2-3 Kbps of duplex VPLEX Witness IP traffic (transmitted over IP<br />
management network) per director per cluster.<br />
For example; a quad engine cluster (8 directors) will generate 16-24 Kbps of duplex VPLEX Witness IP traffic.<br />
The required minimum value for Maximum Transmission Unit (MTU) is 1500 bytes. Configure MTU as 1500 or<br />
larger.<br />
Round trip latencies on the management network between the Cluster Witness Server and both management<br />
servers in the VPLEX Metro or VPLEX Geo should not exceed 1 second.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
10
Deployment Example: VMware vCloud Air<br />
Example Network Topology:<br />
Note: The steps below provide an overview of the VPLEX Witness virtual machine<br />
installation in a VMware vCloud Air virtual data center. They are intended to<br />
provide an overview of the installation process, but they do not replace the<br />
official VPLEX Witness installation documentation provided by the Solve Desktop<br />
application.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
11
Step 1: Connect to the Public Cloud / Virtual Data Center you wish to deploy into. In this example,<br />
the VDC is <strong>within</strong> VMware vCloud Air.<br />
Note: In this example VMware vCloud Director is used for .ova <strong>deployment</strong>. Install<br />
the vCloud Director plug-in into your web browser if it has not already been<br />
installed.<br />
Step 2: Select Deploy Virtual Machine from the Virtual Machines tab.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
12
Step 3: Select Create My Virtual Machine from Scratch<br />
Step 4: Click on the Add App from OVF icon<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
13
Step 5: Follow Add vApp from OVF wizard driven instructions and provide the path to the .ova file for<br />
VPLEX Witness (provided by EMC)<br />
Step 6: Review Details<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
14
Step 7: Accept License<br />
Step 8: Name the VPLEX Witness vApp<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
15
Step 9: Name the computer that will host the VM<br />
Step 10: Set Network 1 and Network 2 to Static - IP Pool addresses. Set Network 1 for default routed<br />
network and Network 2 to default isolated. Click Next<br />
Note: Do not set IP addresses during OVA upload / <strong>deployment</strong><br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
16
Step 11: Leave CPU, Memory, Disk to default settings. Click Next<br />
Step 12: Select Power on vApp after wizard is finished. Click Finish<br />
.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
17
Step 13: Observe .ova <strong>deployment</strong> progress and completion.<br />
Step 14: Confirm VPLEX Witness VM is deployed and powered On. If it is not powered on, power it on<br />
now. Follow the official VPLEX Witness install procedures (available from Solve) to set the IP of the<br />
VPLEX Witness via the console.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
18
Step 15: Modify Firewall rules to accommodate IP traffic from the VPLEX VM to the VPLEX Clusters.<br />
Click on the Gateways tab and then click on the gateway you will be sending VPLEX IP traffic<br />
through. Then click the Firewall Rules tab and modify them to allow traffic to and from the VPLEX<br />
Witness VM to the VPLEX Management Server at each site.<br />
Add/Modify Firewall rules to allow all traffic from the VPLEX Witness VM to the VPLEX Management<br />
Servers:<br />
In this example, All traffic in the vCloud Air data center is being allowed (not just VPLEX Witness) to<br />
connect back to the management network. If very granular rules are used, ensure that the port,<br />
protocol, and IP requirements (shown earlier in this document) for VPLEX Witness IP traffic are in<br />
place. A direct VPN connection is in place between vCloud Air and the two physical data centers<br />
that contain VPLEX, so this IP configuration is secure. The VDC in this case also has other applications<br />
and IP traffic, so opening it up to all traffic was deemed acceptable. In some cases, a more narrow<br />
set of rules will be used to limit traffic to just the VPLEX Witness VM and just the VPLEX Management<br />
Servers.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
19
Step 16: Confirm VPLEX is now connected to the Gateway:<br />
Step 17: Confirm Virtual Machine Status and Network Settings:<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
20
Step 18: Follow the standard VPLEX Witness installation instructions (available from the Solve Desktop<br />
application) to complete the configuration of VPLEX Witness.<br />
More Info<br />
Contact your EMC Account or Professional Services team for further details.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
21
Conclusion<br />
This paper has focused on VPLEX Metro and why VPLEX Witness is such a critical in achieving<br />
continuous availability of storage. VPLEX Witness is a virtual machine that provides intelligent<br />
guidance to each of the VPLEX Metro sites from an independent 3 rd site. As independent tertiary<br />
fault domains are not always available to customers, public cloud providers like VMware vCloud Air<br />
can fill this gap in traditional infrastructure. The installation of the VPLEX Witness into a virtual data<br />
center is not unlike a traditional <strong>deployment</strong> with a few extra steps to configure the network,<br />
firewalls, and VPN connectivity to the public cloud. Once deployed into the cloud, the<br />
management and operation of the VPLEX Witness is identical to a traditional physical data center<br />
implementation.<br />
Deploying VPLEX Witness <strong>within</strong> a Public Cloud<br />
22