Dell VxRail Deployment Planning Guide

Important considerations before you begin self-deployment

• If you are not sure you can complete the end-to-end deployment process, contact Dell Technologies Services.
• If you are unable to complete the self-deployment after you have started, contact your sales representative or partner to purchase Dell Technologies Services.

Required skills

Before you start the self-deployment, verify that you have the following skills:

• Understand the network requirements and VxRail infrastructure planning and deployment.
• Understand implications for the decisions that are made during planning.
• Accept responsibility for the end-to-end deployment process.
• Have solid system administration experience with VMware vSphere, VMware ESXi, VMware vSAN, and other VMware products.
• Ethernet and IP address networking experience including network cable selection, switch topologies, subnets, and routing.
• Have moderate network, firewall configuration, and router troubleshooting experience.
• Understand the physical installation and rack cabling requirements.
• Familiar with the UI for iDRAC configuration.

Best practices

Use best practices to mitigate risk during and after deployment. Good security practices include, but are not limited to:

• Implement redundant, physically secure power supplies and environmental controls such as cooling, ventilation, and fire suppression.
• Locate your VxRail in a secure dedicated purpose server room or data center secured in-rack. Limit physical access to authorized personnel only.
• Use the Dell VxRail Network Planning Guide to implement dedicated VLANs to isolate management, control plane, VMware vSphere vMotion, storage, workload, and other internal networks.
• Verify that administrative access to management interfaces is:
  • Limited to authorized personnel and systems necessary for the operation of the VxRail
  • Through an administrative enclave segmented from production, workload, or workstation networks
  • Located behind the enclave firewall and policies to restrict access to administrative or management networks are enforced
  • Protected by MFA, SEIM, and other security infrastructures
  • Strong password policies are enforced and rotated when deployed by Dell Technologies or partner personnel
• Isolate iDRAC management interfaces from all networks, strong passwords, and additional controls as recommended in the iDRAC9 Security Configuration Guide.
• Use the following to protect workloads:
  • L3 firewalls or a microsegmentation solution such as VMware NSX to protect network traffic
  • Anti-malware solutions such as VMware AppDefense, Carbon Black
  • Data Encryption at Rest (DARE) through capabilities such as:
    • VMware vSphere Virtual Machine Encryption occurs at the beginning of the I/O flow on a per-VM basis and directly encrypts VM-related files, including vdisks and snapshots. For this reason, VM-level encryption does not work with deduplication and compression. Not all VMware vSphere functionalities are available on encrypted VMs.
    • VMware vSAN Encryption provides true data-at-rest encryption to fully use deduplication and compression for space saving purposes. VMware vSAN encryption is compatible with all vSAN data services.
• Harden VxRail using the VxRail STIG Hardening Package. Check the VxRail STIG Hardening Guide to confirm VxRail version support.