VMware VCP 4 Dumps|Pass your VCP 4 Exam Today

Lab Scenario
As a network administrator, you want to SSH the ESX hosts so you can log into each one of them without
needing to specify passwords to getting up to go the computer and access the service console. You want to
enable SSH in ESX and ESXi hosts.
Lab Objectives
Using your personal lab, perform the following tasks:
• Activate root SSH access in an ESX host
• Activate root SSH access in an ESXi host
Lab Solution
Activate root SSH access in an ESX host:
To activate root SSH access. Log on to your ESX host. Enter username and password and go to the command
prompt.
Go to /etc/ssh directory by typing cd /etc/ssh

www.certifyme.com
Edit the sshd_config file by typing nano sshd_config. The sshd_config file will open.
Find the line “Permit rootlogin no“. Change No with Yes.

www.certifyme.com
Save the file by pressing CTRL+X and then pressing ‘Y’ and then pressing ‘Enter’

www.certifyme.com
Now restart the sshd service by typing service sshd restart

To enable the SSH client and SSH service to work properly, we need to open ports for them in firewall. While
on the SSH command prompt, type esxcfg-firewall -e sshServer
Now open the SSH client by typing esxcfg-firewall -e sshClient. The SSH port is open now. We can remotely
login to ESX host using Putty.
Activate root SSH access in an ESXi host:
At the console of ESXi host, press ALT+F1 to access the console command line environment. You will not see
a cursor blinking – just plain black window.

www.certifyme.com
Type unsupported in the console window and press ‘Enter‘. You will not see the typing. The console will
ask for the root password. Type the password and press Enter. You will see the Tech Support text and the
command prompt.
At the command prompt, edit the inetd.conf file by typing vi /etc/inetd.conf. The editor will open the file.

www.certifyme.com
Find the line that begins with #ssh. Delete the # from #ssh.

www.certifyme.com
After deleting # from #ssh, exit vi editor by pressing ESC button and typing “:wq”

www.certifyme.com
After closing the vi editor, run the command /sbin/services.sh restart to restart the management services. You
are now able to connect to the ESXi host with a SSH client.

www.certifyme.com
References:
• http://www.vm-help.com/esx/esx3i/ESXi_enable_SSH.php
• http://itknowledgeexchange.techtarget.com/virtualization-pro/how-to-allow-the-root-user-to-login-tovmware-
esx-server-with-ssh/
• www.vladan.fr/how-to-activate-ssh-for-esx-server

Exam Objective: Configure Service Console availability

Contents
• Introduction
• Technology Background
• Lab Scenario
• Lab Objectives
• Lab Solution
Introduction

www.certifyme.com
The program SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities (rlogin, rsh, rcp,
and rdist). It provides an encrypted channel for logging into another computer over a network, executing
commands on a remote computer, and moving files from one computer to another. SSH provides strong host-tohost
and user authentication as well as secure encrypted communications over an insecure Internet.
SSH2 is a more secure, efficient, and portable version of SSH that includes SFTP, which is functionally similar
to FTP, but is SSH2 encrypted.
When connecting to a server for the first time SSH presents you with a host key fingerprint for that server and
asks you to confirm that you wish to save the new host key to the local database. Before agreeing, you should
compare this fingerprint with one you obtain by some other means (e.g., by telephone) from the server
administrators to avoid connecting to an imposter server.
Rather than validating identities via passwords, SSH can also use public key encryption to authenticate remote
hosts. For example, if you were to connect to a remote host called sales.acme.com (also running SSH), SSH
would use this system to verify that the remote system is the real sales.acme.com and not a computer set up to
imitate it. If you wish, you can set up SSH to use public key authentication rather than passwords for logging
into your other accounts, much like the ESX login program.
Technology Background
In ESX 4.0 SSH is blocked by default for the root user so you need to activate the root login on the console of
the ESX server. Otherwise you will not be able to use PuTTy or or VEEAM FastSCP. Same is the case with
ESXi. Although, both of the ESX versions come with SSH support, they are disabled by default which generally
means either root user must authenticate as a standard user and then SU to root or log in directly from the
console.
Through commands, you can enable SSH on ESX and ESXi consoles.
You might need SSH in ESX to login remotely to the console without needing to go physically to the computer
to configure or maintain it. You ca use Putty to log in remotely to the ESX/ESXi hosts. You can use SSH
directly to log in to the console without specifying the username and password.
Deny SSH access to all but specific IP addresses
You can configure /etc/hosts.allow with 3 specific IP addresses that can SSH to the ESX hosts in the cluster.
You should also configure /etc/hosts.deny with sshd:all which means all other IP addresses not configured in
the hosts.allow files will not be able to access the host and fail with an error “session terminated unexpectedly”
Only users in the WHEEL group can SU to Root
If the sshd_config file is configured with Permit Root Login = no option, then ROOT is not able to login to
the service console remotely e.g. via Putty. We can also take additional steps and limit which standard users can
SU to root by changing the /etc/pam.d/su file and then adding only specific users to the wheel group. Here’s
what you’ll need to do:
vi /etc/pam.d/su

www.certifyme.com
Then delete the following line
#auth required /lib/security/$ISA/pam_wheel.so use_uid
Once you have done that, you can now go and look at which users are part of the WHEEL group.
cat /etc/group |grep wheel
which should return this comment “wheel:x:10:root”
Now if your standard user is called johnsmith, just add a comma and add johnsmith so it looks like this.
“wheel:x:10:root,johnsmith”
Now you can add users to the service console, but only user “johnsmith” will be able to SU to root

Lab Scenario
As part of VMware vSphere4 implementation, you are set to assign physical adapter to an existing vSwitch.
According to the plan given to you by Network analyst, you need to assign a physical adapter to an existing
vSwitch for extra bandwidth and as part of a backup plan in case anyone of the physical adapter fails to send or
receive traffic.
Lab Objectives
• Using your personal lab, assign a physical adapter to an existing vSwitch
Lab Solution
Assign a physical adapter to an existing vSwitch:
Log on the ESX server using VMware vSphere client.
Choose the host from inventory panel and click Configuration

www.certifyme.com
Choose Networking from the configuration panel.
Select an existing vSwitch and click Properties.
113
www.certifyme.com
vSwitch Properties window appears. Select ‘Network Adapters’ tab
114
www.certifyme.com
Click ‘Add’ button at the bottom. The ‘Add Adapter wizard’ appears.

www.certifyme.com
Select unclaimed adapter and click Next

www.certifyme.com
You can pick the new adapter as an active adapter and the already assigned adapter as standby adapter by
clicking the ‘Move Down’ button. It is recommended to leave the already active adapter and assign standby
status to the new adapter. Click Next.

Review the adapter to added to the vSwitch and click Finish

www.certifyme.com
Now you can view the newly assigned adapter in the vSwitch properties. Click Close

www.certifyme.com
You can also view the newly assigned adapter in the vSwitch networking area.

Exam Objective: Assign Physical Adapters
Contents
• Introduction
• Technology Background
• Lab Scenario
• Lab Objectives
• Lab Solution

www.certifyme.com
Introduction
Physical Ethernet adapters serve as bridges between virtual and physical networks. In VMware vSphere, they
are called uplinks, and the virtual ports connected to them are called uplink ports. A single host may have a
maximum of 32uplinks, which may be on one switch or distributed among a number of switches.
In order for a virtual switch to provide access to more than one VLAN, the physical switch ports to which its
uplinks are connected must be in trunking mode. It is important to prune the VLANs, keeping only those that
are required for the virtual switch. Failure to do so can cause unnecessary overhead on the ESX Server host
because it must process broadcast traffic for all VLANs trunked to it.
Technology Background
You should prune VLANs at the physical switch level, but pruning at the physical switch cannot be quite as
aggressive as pruning at the uplink because the virtual switch knows which virtual machines are actually
powered on. As a result, the virtual switch may be able to prune VLANs that are needed but are not in use at the
time you are pruning.
You can specify different teaming behavior for different groups of virtual machines that share the same team of
physical adapters. For example, you can vary the active/standby status of each adapter in the team across port
groups to get both good link aggregation and failover behavior.
Teaming state — which physical Ethernet adapters are actually transporting data — is maintained for each
port group. Teaming state transitions are mostly transparent to virtual Ethernet adapters. Virtual machines
cannot tell when a failover has occurred or which physical adapter is carrying any given frame. When the
transition removes or restores actual access to a physical network — that is, when the last link goes down or
the first link comes up — the network visibility change is apparent to guests.
Uplinks are not required for a virtual switch to forward traffic locally. Virtual Ethernet adapters on the same
virtual switch can communicate with each other even if no uplinks are present. If uplinks are present, they are
not used for local communications within a virtual switch.
When VLANs are configured, ports must be on the same VLAN in order to communicate with each other. The
virtual switch does not allow traffic to pass from one VLAN to another. Communication between VLANs is
treated the same as communication between virtual switches — it is not allowed. If you do want
communication between two VLANs or two virtual switches, you must configure an external bridge or router to
forward the frames.
A virtual switch (vSwitch) can have multiple physical nics/vmnics/uplinks linked to it, but each “physical
nic”/vmnic/uplink can only be connected to a single vSwitch at a given time.
Keep in mind that if you want to connect a virtual machine’s “virtual nic” to the outside world, you do not
connect the “virtual nic” to a vSwitch. You connect a virtual machine’s “virtual nic” to a “Virtual Machine Port
Group”, and then you associate the “Virtual Machine Port Group” to a vSwitch. Along these lines, if two virtual
machines are connected to either the same “Virtual Machine Port Group”, or are connected to “Virtual Machine
Port Groups” on the same vSwitch, any network communication between the two will not flow through a
“physical uplink adapter”, it will remain “internal” to vSwitch/ESX server. This is why you don’t even have to
have any “physical uplink adapters” connected to a vSwitch. A vSwitch that is not connected to any “physical

www.certifyme.com
uplink adapters” is referred to as an “internal-only virtual switch”.
Keep thinking of the physical uplink adapters as “dumb bridge ports”. They do not have an IP address, their
“physical” MAC address will not appear on the network or anything like that. It is just a port through which
packets flow.

Lab Scenario
After configuring vSwitch, you have to configure Port and port groups for virtual machines. Since this is the
only way virtual machines hosted on ESX servers will network with the physical networks, you need to make
sure the ports are configured correctly.
Lab Objectives
• Using your personal lab, create a port group
Lab Solution
Create a port group:
Login to ESXi server using vSphere client; type IP address, username and password. Click Login

www.certifyme.com
In the vSphere client interface, select the server (IP address) in the right column and then click Configuration
Select Networking from the configuration menu.

www.certifyme.com
Click ‘Add Networking’ which is located on the right side of the page.
The Add Networking options window appears. Select Virtual Machine and click Next.

www.certifyme.com
Select the vSwitch, in which you will create the port group. Click Next.

www.certifyme.com
Enter the Network Label and leave the VLAN ID. Click Next.

The port group is added to the vSwitch connected to the physical adapter. Click Finish

www.certifyme.com
You can view the newly created Port group in the vSwitch you selected during the creation process.

www.certifyme.com
References:
• http://www.vcritical.com/2008/12/thanks-for-all-the-port-groups/
• blog.scottlowe.org/2006/04/17/vlans-and-port-groups/
• http://networkvirtualization.blogspot.com/2008/05/port-groups-in-vmware-esx.html
• http://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html

Exam Objective: Create Ports/Port Groups
Contents
• Introduction
• Technology Background
• Lab Scenario
• Lab Objectives
• Lab Solution
Introduction

www.certifyme.com
The ports on a virtual switch provide logical connection points among virtual devices and between virtual and
physical devices. You can think of them as virtual RJ-45 connectors. Each virtual switch can have up to 1,016
virtual ports, with a limit of 4,096 ports on all virtual switches on a host.
The virtual ports in ESX Server provide a rich control channel for communication with the virtual Ethernet
adapters attached to them. ESX Server virtual ports:
• Know authoritatively what the configured receive filters are for virtual Ethernet adapters attached to
them. This means no MAC learning is required to populate forwarding tables.
• Unlike physical switches, know authoritatively the “hard” configuration of the virtual Ethernet adapters
attached to them. This capability makes it possible to set such policies as “guest can’t change MAC
address,” because the virtual switch port can essentially know for sure what is “burned into ROM”
(actually, stored in the configuration file, outside control of the guest operating system).
Technology Background
Port groups aggregate multiple ports under a common configuration and provide a stable anchor point for
virtual machines connecting to labeled networks. You can create a maximum of 512 port groups on a single
host.
Each port group is identified by a network label, which is unique to the current host. Network labels are used to
make virtual machine configuration portable across hosts. All port groups in a datacenter that are physically
connected to the same network (in the sense that each can receive broadcasts from the others) are given the
same label. Conversely, if two port groups cannot receive broadcasts from each other, they have distinct labels.
A VLAN ID, which restricts port group traffic to a logical Ethernet segment within the physical network, is
optional. For a port group to reach port groups located on other VLANs, the VLAN ID must be set to 4095. If
you use VLAN IDs, you must change the port group labels and VLAN IDs together so that the labels properly
represent connectivity.
Port groups are important particularly for VMotion. To understand why, consider what happens as virtual
machines migrate to new hosts using VMotion. Port groups make it possible to specify that a given virtual
machine should have a particular type of connectivity on every host on which it might run. Port groups are usernamed
objects that contain enough configuration information to provide persistent and consistent network
access for virtual Ethernet adapters:
• Virtual switch name
• VLAN IDs and policies for tagging and filtering
• Teaming policy
• Layer 2security options
• Traffic shaping parameters
In short, port group definitions capture all the settings for a switch port. Then, when you want to connect a
virtual machine to a particular kind of port, you simply specify the name of a port group with an appropriate
definition. Port groups may specify different host-level parameters on different hosts — teaming
configurations, for example. But the key element is that the result is a consistent view of the network for a
virtual machine connected to that port group, whichever host is running it.
Port Group Configuration for Virtual Machines
102
www.certifyme.com
You can add or modify a virtual machine port group from the vSphere Client. The vSphere Client Add Network
wizard guides you through the tasks to create a virtual network to which virtual machines can connect,
including creating a vSwitch and configuring settings for a network label. When you set up virtual machine
networks, consider whether you want to migrate the virtual machines in the network between hosts. If so, be
sure that both hosts are in the same broadcast domain—that is, the same Layer 2 subnet.
ESX does not support virtual machine migration between hosts in different broadcast domains because the
migrated virtual machine might require systems and resources that it would no longer have access to in the new
network. Even if your network configuration is set up as a high-availability environment or includes intelligent
switches that can resolve the virtual machine’s needs across different networks, you might experience lag times
as the Address Resolution Protocol (ARP) table updates and resumes network traffic for the virtual machines.
Virtual machines reach physical networks through uplink adapters. A vSwitch can transfer data to external
networks only when one or more network adapters are attached to it. When two or more adapters are attached to
a single vSwitch, they are transparently teamed.

Enter the network label and VLAN ID. Select the Vmotion, fault tolerance and traffic management options as
well. Click Next.

www.certifyme.com
Enter the IP address and subnet mask, or select Obtain IP setting automatically if you have a DHCP
configured. For the sake of showing this step, we are manually enter IP address and subnet mask.

www.certifyme.com
Click Edit to set the service console default gateway and click Next.

www.certifyme.com
Preview the newly created vswitch and click Finish

www.certifyme.com
You can see the newly created switch in the networking panel

www.certifyme.com
Delete a vSwitch:
To delete a vSwitch, simple, click remove above the switch display in the networking panel.

www.certifyme.com
On confirmation dialog box ‘Remove Virtual Switch vSwitch1′, click Yes. The vSwitch will be removed
from the networking panel.
References:
• http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=
1010555
• http://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esx40_vc40.html
• logs.vmware.com/vmtn/2009/04/the-great-vswitch-debate.html
• http://computing.dwighthubbard.info/index.php/2008/01/11/adding-a-virtual-switch-vswitch-tovmware-
esx-with-a-specific-number-of-ports/

Lab Scenario
As part of VMware implementation program that you started with installing ESX and ESXi hosts on compatible
machines, you are now going according to the plan. The next task is to create a vswitch for ESX 4.0 Service
console. One vSwitch is already configured; however you want to create one more vSwitch for effective
network and failure management.
Lab Objectives
Using your personal lab, perform the following two tasks:

www.certifyme.com
• Create a vSwitch
• Delete a vSwitch
Lab Solution
Create a vSwitch:
Switch on ESXi 4.0 server and Log in to the vSphere Client to connect to ESXi 4.0 host.
Select the host from the inventory panel.

www.certifyme.com
Click the Configuration tab, and click Networking.

www.certifyme.com
In the Virtual Switch view, click Add Networking.
93
www.certifyme.com
Select VMKernel, and click Next.
Select Create a new vSwitch, and click Next. If no adapters appear in the Create a new virtual switch group,
all network adapters in the system are being used by existing vSwitches.

How a Virtual Switch Is Similar to a Physical Switch
A virtual switch, as implemented in ESX Server 4, works in much the same way as a modern Ethernet switch. It
maintains a MAC:port forwarding table and performs the following functions:
• Looks up each frame’s destination MAC when it arrives.
• Forwards a frame to one or more ports for transmission.
• Avoids unnecessary deliveries (in other words, it is not a hub).
An ESX Server 4 virtual switch supports VLAN segmentation at the port level. This means each port can be
configured in either of the following ways:
With access to a single VLAN, making it what’s called an access port in the world of physical switches, or in
ESX Server terminology, using virtual switch tagging.
With access to multiple VLANs, leaving tags intact, making it what’s called a trunk port in the world of physical
switches, or in ESX Server terminology, using virtual guest tagging.
An ESX Server 4 virtual switch supports copying packets to a mirror port. By using what is called promiscuous
mode, ESX Server makes a virtual switch port act as a SPAN port or mirror port. This capability makes it
possible to debug using a sniffer or to run monitoring applications such as IDS.
In addition, an administrator can manage many configuration options for the switch as a whole and for
individual ports using the Virtual Infrastructure Client.
How a Virtual Switch Is Different from a Physical Switch
ESX Server provides a direct channel from virtual Ethernet adapters for such configuration information as
authoritative MAC filter updates. So there is no need to learn unicast addresses or perform IGMP snooping to
learn multicast group membership.
Ports on the virtual switch may automatically enter mirror mode when the virtual Ethernet adapter’s
promiscuous bit is set — if virtual switch and port group policies allow.
Spanning Tree Protocol Not Needed

www.certifyme.com
VMware Infrastructure 4 enforces a single-tier networking topology. In other words, there is no way to
interconnect multiple virtual switches, thus the network cannot be configured to introduce loops. As a result,
Spanning Tree Protocol (STP) is not needed and is not present.
Virtual Switch Isolation
Network traffic cannot flow directly from one virtual switch to another virtual switch within the same host.
Virtual switches provide all the ports you need in one switch, leading to the following benefits:
• Because there is no need to cascade virtual switches, Virtual Infrastructure 4 provides no capability to
connect virtual switches.
• Because there is no way to connect virtual switches, there is no need to prevent bad virtual switch
connections.
• Because virtual switches cannot share physical Ethernet adapters, there is no way to fool the Ethernet
adapter into doing loopback or some similar configuration that would cause a leak between virtual
switches.
In addition, each virtual switch has its own forwarding table, and there is no mechanism to allow an entry in one
table to point to a port on another virtual switch. In other words, every destination the switch looks up can
match only ports on the same virtual switch as the port where the frame originated, even if other virtual
switches’ lookup tables contain entries for that address.
It is unlikely that a would-be attacker could circumvent virtual switch isolation because it would be possible
only if there were a substantial unknown security flaw in the vmkernel. Because ESX Server parses so little of
the frame data — primarily just the Ethernet header — this would be difficult, and once an attacker had such
access, richer targets than breaking virtual switch isolation are readily available.
There are natural limits to this isolation. If you connect the uplinks of two virtual switches together, or if you
bridge two virtual switches with software running in a virtual machine, you open the door to the same kinds of
problems you might see in physical switches.
Changing the Number of Ports for a vSwitch
A vSwitch serves as a container for port configurations that use a common set of network adapters, including
sets that contain no network adapters at all. Each virtual switch provides a finite number of ports through which
virtual machines and network services can reach one or more networks..

Exam Objective: Create/Delete Virtual Switches
Contents
www.certifyme.com
• Introduction
• Technology Background
• Lab Scenario
• Lab Objectives
• Lab Solution
Introduction
A virtual switch, or vSwitch, works much like a physical Ethernet switch. It detects which virtual machines are
logically connected to each of its virtual ports and uses that information to forward traffic to the correct virtual
machines. A vSwitch can be connected to physical switches by using physical Ethernet adapters, also referred to
as uplink adapters, to join virtual networks with physical networks. This type of connection is similar to
connecting physical switches together to create a larger network. Even though a vSwitch works much like a
physical switch, it does not have some of the advanced functionality of a physical switch.
You can create abstracted network devices called vNetwork Standard Switches (vSwitches). A vSwitch can
route traffic internally between virtual machines and link to external networks. You can use vSwitches to
combine the bandwidth of multiple network adapters and balance communications traffic among them. You can
also configure a vSwitch to handle physical NIC failover. A vSwitch models a physical Ethernet switch. The
default number of logical ports for a vSwitch is 56, but it can have up to 1016 ports in ESX. You can connect
one network adapter of a virtual machine to each port. Each uplink adapter associated with a vSwitch uses one
port. Each logical port on the vSwitch is a member of a single port group. Each vSwitch can also have one or
more port groups assigned to it. You can create a maximum of 127 vSwitches on a single host.
When two or more virtual machines are connected to the same vSwitch, network traffic between them is routed
locally. If an uplink adapter is attached to the vSwitch, each virtual machine can access the external network
that the adapter is connected to.
Technology Background
How Virtual Switches Work
Virtual switches are the key networking components in VMware Vsphere4. You can create up to 248 virtual
switches on each ESX Server 4.0 host. A virtual switch is “built to order” at run time from a collection of small
functional units. Some of the key functional units are:
• The core Layer 2forwarding engine. This is a key part of the system (for both performance and
correctness), and in Virtual Sphere 4it is simplified so it only processes Layer 2Ethernet headers. It is
completely independent of other implementation details, such as differences in physical Ethernet
adapters and emulation differences in virtual Ethernet adapters.
• VLAN tagging, stripping, and filtering units.
• Layer 2security, checksum, and segmentation offload units.
This modular approach has become a basic principle to be followed in future development, as well. When the
virtual switch is built at run time, ESX Server 4 loads only those components it needs. It installs and runs only
what is actually needed to support the specific physical and virtual Ethernet adapter types used in the

www.certifyme.com
configuration. This means the system pays the lowest possible cost in complexity and demands on system
performance.
The design of ESX Server 4 supports temporarily loading certain components in the field — a capability that
could be used, for example, for running appropriately designed diagnostic utilities.
An additional benefit of the modular design is that VMware and third-party developers can easily incorporate
modules to enhance the system in the future.
In many ways, the ESX Server virtual switches are similar to physical switches. In some notable ways, they are
different. Understanding these similarities and differences will help you plan the configuration of your virtual
network and its connections to your physical network.