Showing posts from January, 2022

vSAN: The cascade scenario that vSAN stretch cluster has issues with...

Summary: Basically while testing stretch cluster, we ran into strange failover behavior.  The fact that it was not simply occuring.  During this testing, we found a dirty little secret about stretch cluster failovers.  One that makes me rethink if stretch clusters really is worth doing. Documented Failure Scenarios Details: All documented scenarios effectively deal w/ a 'single' type of failure.  The problem is disasters/failures can be multi-faceted and cascading in some instances.  Taking the Secondary Site Failure or Partitioned scenario and adding the 'cascading failure' to it and you end up in a whole world of trouble depending on the next 'failure'. Below effectively depicts the failure of the interconnect between the two sites.  The problem this fails to take into account is that there are typically 3 things involved to this.   The networking between the two sites The preferred site routers The secondary site routers So here is a slightly more involved d

NSX-T: Deleting route advertisement filters via API

  Summary: When creating a DHCP server in NSX-T, a route advertisement filter is automatically created for you.  This is so that the DHCP server is prevented from advertising DHCP addresses outside of your fabric.  This is fine for the most part, but there are occasions where the DHCP subnet you allocated may overlap a DNS forwarder IP that you may have setup before. Honestly, this feels like a logic bug to where it shouldn't allow this, but oh well.   Detailed Steps Anyway, all you have to do is delete the DHCP server in question, but in some cases, the route filter may not be deleted along with it. In that case, you can delete the route filter itself via the Manager UI: Select Manager > Networking > Tier-1 Logical Routers > T1 in question > Routing > Route Advertisement > Select DHCPServerRouteFilter > Delete. In the case where the delete option is greyed out, you can use the below curl code to clear it out.  This is the last ditch effort, so only do it if yo

NSX-T: Create CSR's with SAN entries, self sign, and apply them

Summary: This utilizes an experimental API endpoint in NSX-T, but I've found it to work without issues.  Be warned though, the endpoint may not function the same in newer releases.  This has worked in 3.1.2. Details: The variables at the beginning of this shell script must be defined for your environment. Your DNS names should resolve to your appliances. This does work w/ 3.1.2, but may not in future revisions. Example Code: