VMware VSHIELD APP 1.0.0 UPDATE 1 Admin Manual page 136

vShield Administration Guide
Port Id is the first column in all other tables (Active Ports, Switch State, and Portstats) . This is a unique
identifier assigned by the vshd module for each fence-enabled port. This ID is internal and has no external
meaning. It is the dvfilter name for that port type casted to Uint64. The port ID is useful to query values for a
specific port using the fenceutil portInfo <portId> command which outputs details of only one port.
Active Ports shows all the ports/vNICs where fencing is active. This includes the mirror vNICs. Your first
host has five ports enabled for fencing, two of which are mirror vNICs. The mirror vNICs can be identified by
a special fence ID of fffffe. The OPI column indicates the fence ID. In your setup, the first host has one fence
with ID 000001. The next column indicates LanId? configured for that port. This is an indication of which
vSwitch the ports might be connected to. In the output below, your first host has two vSwitches (legacy +
dvswitches). One has been assigned LanId? 1 and the other one has LanId? 2. Thus, you see two mirror virtual
machine vNICs (one for each vSwitch) with different LanIds? in active ports.
Switch State shows the learning table of the internal unicast learning in fence module. Inner MAC means
the MAC of destination VM, the outer MAC means the hostkey MAC of the host on which this VM is present.
The learning builds this table by looking at packets and it tries to learn which VM is on which host. This way,
when one VM on that host tries to reach another virtual machine, this table is looked up. If the destination
VM's mac is seen in the inner MAC column, then the OuterMac? is used as the destination hostkeymac to be
put in the Outer MAC header added by the fence module. If an entry is not found here, such a packet will be
broadcast (outer MAC header's destination MAC will be set to broadcast.). Like any other learning system, this
one also has mechanisms to time out / modify learnt entries. This will take care of things like VMs moving to
different hosts or to make sure that the table does not grow too much in size with stale mac entries. The
used/age/seen bits represent the flags used by fence module to track frequency of these MAC entries. The
learning is done on a per-port level, hence you would see the same inner MAC - outer MAC pairs on different
ports. This table also shows same hostkey mac in outer MAC sections because even for VMs on the same host,
the same code is used where a packet is encapsulated and sent from source port and decapsulated on the
destination port. There is no optimization for same host VMs. Thus for VMs on the same host, the outer MAC
will be hostkeyMAC of the same host.
Port Statistics shows packet stats on a per port basis. One port per row. The from and To vm stats indicate
packets to and from vm. The subcategories indicate the specifics about the packet. The details of each counter
are in the following structure. Let me know if you need any more info on this.
Troubleshooting vShield Edge Issues
Virtual Machines Are Not Getting IP Addresses from the DHCP Server
To determine why protected virtual machines are not being assigned IP addresses by a vShield Edge
1 Verify DHCP configuration was successful on the vShield Edge by running the CLI command: show
configuration dhcp.
2 Check whether DHCP service is running on the vShield Edge by running CLI command: show service
dhcp
3 Ensure that vmnic on virtual machine and vShield Edge is connected (vCenter > Virtual Machine > Edit
Settings > Network Adapter > Connected/Connect at Power On check boxes).
When both a vShield App and vShield Edge are installed on the same ESX host, disconnection of NICs
can occur if a vShield App is installed after a vShield Edge.
Load-Balancer Does Not Work
To determine why the load balancer service on a vShield Edge is not working
1 Verify that the Load balancer is running by running the CLI command: show service lb.
Load balancer can be started by issuing the start command.
2 Verify the load-balancer configuration by running command: show configuration lb.
This command also shows on which external interfaces the listeners are running.
136 VMware, Inc.