_3: My Lab Set Up

Catalyst 3750G - I got a pretty outdated Layer 3 capable Catalyst switch. The only thing that I wished I had were 1 Gb/s uplinks ports. vMotion does take a while with 100 Mb/s ports even with link aggregation. I wished I should have spent an additional $50-$100 bucks for a network switch with 1 Gb/s uplinks. I used this network switch for management and VM connectivity to my two (2) dell hosts. I got a 48 port network switch, which was way way over kill for my lab setup but I'm sure I won't be complaining when I do start filling up these connections.

Dell R710 - It's important to have at least two (2) bare metal servers with at least two (2) processors, dual SD card reader, 32 GB RAM on each host and at least 4 TB of HD space. Why two (2) servers? You should have two (2) servers especially when you're learning how to install and deploy VMWare ESXi and vCenter Server.  You want to utilize clustering and the associated features i.e. vMotion, Fault Tolerance and High Availability.  I selected the R710 so I could at least install the Dell supported ESXi 6.0 U2. Since this is only for lab use, you can attempt to install ESXi 7.0 or even ESXi 8.0. You should be able to install with some warnings of course. You may have some degradation in performance since the newer versions of ESXi is NOT supported on the older PowerEdge Platforms.  That is just how life works.  People and technology moves on.

Install ESXi OS on the SD reader. This is usually best practice before the Boot Optimized Storage Cards (BOSS) became available on the newer PowerEdge servers. If you have the dough to purchase a refurbished newer Dell servers with all the latest and greatest, DO IT. Make sure your BOSS comes with RAID configuration of 1 just in case it takes a dump. Starting with ESXi 8.0, VMware (or Broadcom) will be requiring Boot storage cards to be NON-REMOVABLE meaning that the SD cards readers will no longer work for boot storage.

As for storage, in production deployment I usually recommend having a Storage Area Network (SAN) with at least 1 Gb/s uplinks for communications for all VM storage.  10 Gb/s or more is preferred but usually OT environments don't have or need this type of bandwidth.  If you are sharing with IT and do have these specs, USE IT.  More to come on how to work with IT when sharing hardware.  For OT environments, it's important to ensure system uptime so always get a SAN storage with dual controllers. HP is a good vendor but Dell also has options for end users who are more budget conscious. I can't speak too much to Dell's SAN technology as I have not used them out in the field yet but HP's SANs are definitely up to it's hype. You can upgrade each of the controllers independently and do it live in production. You can force failover to one of the two SAN controllers as needed. HP uses a Triple+ Parity RAID algorithm to help protect against three-disk failures, which is awesome. HP SANs guarantee 99.9999% uptime, meaning it's guaranteeing 31.56 seconds of downtime per year or 2.63 seconds of downtime per month. As for OT systems, we'll take that uptime all day.

Cisco ASA 5550 - Similar to the Catalyst Network switch, I got a pretty outdated Firewall from Ebay.  I got this firewall for pretty cheap, and the purpose was to understand how to setup an ASA firewall in routed mode.  It's important to play with hardware/appliances as close to production as possible so this gave me the chance to play with routing and Access Control List for filtering network traffic between security zones.  These ASAs are capable of VPN Remote Access as well but I didn't want to pay for a static IP address from my ISP.  From my experience, Ebay ASA firewalls are decent hardware to learn stateful firewall configurations and will start you off on your journey in the world of firewall configurators.

Things to keeps in mind - There are a couple of things to keep in the back of your mind when putting together your lab.  If you have limited space, I don't recommend getting PowerEdge R710.  These things need additional cooling and real estate.  I have an office room where I store my lab setup and these things definitely keep my room cozy during the winter in addition to the sound of the fans humming at 85 dBA.  Fan noise can imprint it's humming meditative sounds into your cerebrum and provide sleep therapy if you have insomnia.  For my next servers, I would like to purchase the mini PCs with 14 core single processor and dual NICs.  I think that'll provide enough juice to accomplish the things I set out for.  Something to keep in mind.

Lastly, here is my final spiel on lab setups.  It's very very important to develop and test on a lab or test system before going to production.  Either you're coding or configuring servers/software, DO IT in a test environment.  Especially if you haven't completed similar tasks before, DO IT in a test environment.  If you don't, I guarantee you that you will shut down the plant for hours due to your curiosity.  Ask how I know.  Get curious in a test environment, break things there instead.  Take VM snapshots so you can easily revert back to a productive state.  Utilize these technology that is readily available to you.  Don't get too cocky that you do all your development and testing in production.  Everyone will remember that you're that guy/gal who took down their OT system.  Sure sure, there are times when you cannot avoid it.  When you have no other choice, just remember to make backups in the case that you do break something.

I'll have a blog in the near future on how I get the latest and greatest VMware products to test in my lab.  There are other emulation products that I use to learn networking and security products, and hopefully they become of some value to you.  I'm testing out a few at the moment and will provide additional details for those who are interested.

Until next time, keep learning and keep failing.

Remember to segregate your management network from your VM networks. Further network segmentation on your VM networks is definitely recommended especially for production. In production environments, you should always have redundant uplinks for managing the hosts but since this is only a lab setup, single management uplink will be acceptable.