Before you start the VMware Cloud Foundation (VCF) Installer, spend a few minutes on pre-checks. The installer does run its own validation, but the two issues that cause most failed deployments, DNS (both forward and reverse) and time sync, are far easier to fix on the ESX host shell than halfway through a deployment. Below is a checklist for a fresh VCF 9.x management domain deployment. Every item can be verified directly, with the command to run and what a pass looks like.
A. Pre-Installation Checks
Run these on each ESX host shell (SSH) unless noted otherwise.
| # | Check | How to verify | Pass criteria |
|---|---|---|---|
| 1 | Depot connectivity | nc -zv depot.broadcom.com 443 then curl -v https://depot.broadcom.com |
Port open and TLS handshake completes |
| 2 | ESX build matches VCF 9.x BOM | vmware -v |
Matches the BOM for your target 9.x build |
| 3 | Forward DNS (hosts and mgmt VMs) | nslookup <esxi-fqdn> |
Returns the correct IP |
| 4 | Reverse DNS (PTR) | nslookup <esxi-ip> |
Returns the correct FQDN |
| 5 | DNS servers set | cat /etc/resolv.conf |
Correct nameservers and domain |
| 6 | Hostname / FQDN correct | hostname -f |
Full FQDN, matches DNS |
| 7 | NTP reachable and running | esxcli system ntp test |
Reachable, offset near 0 |
| 8 | Time in sync across hosts | date on each host |
All within 1 to 2 seconds |
| 9 | Host cert has FQDN (CN) | openssl x509 -in /etc/vmware/ssl/rui.crt -noout -subject |
CN matches host FQDN; if not, run /sbin/generate-certificates, restart hostd/vpxa |
| 10 | SSH / Shell enabled | esxcli network firewall ruleset list -r sshServer |
SSH enabled (the installer needs it) |
| 11 | Physical NICs up | esxcli network nic list |
Required vmnics Link=Up, correct speed |
| 12 | Mgmt VMkernel and gateway reachable | vmkping -I vmk0 <gateway-ip> |
Replies |
| 13 | Deploy host port group matches mgmt network | esxcli network vswitch standard portgroup list |
Port group / VLAN matches mgmt subnet |
| 14 | Jumbo MTU end to end (vMotion/vSAN) | vmkping -I vmkX -d -s 8972 <peer-ip> |
Replies, no fragmentation (see Table B) |
| 15 | Overlay / TEP minimum MTU (1600) | vmkping -I vmkX -d -s 1572 <peer-ip> |
Replies, confirms a 1600 or higher path |
| 16 | Mgmt IPs free (Installer, vCenter, SDDC Mgr / Operations, NSX mgrs and VIP, Automation) | ping <ip> for each |
No reply (IP unused / reserved) |
| 17 | Storage ready | vSAN: disks eligible / external: esxcli storage filesystem list |
Datastore mounted or vSAN disks claimable |
| 18 | Passwords meet rules | Pre-stage per Table C | All accounts compliant |
| 19 | Download token and licenses | Generate token at support.broadcom.com | Token valid, license keys on hand |
B. MTU per Traffic Type (VLAN Trunk)
The physical trunk has to carry the highest MTU you use, so set the switch ports to 9000 (jumbo) and let each VMkernel use the value below. The host-overlay / TEP network must be at least 1600 bytes because of Geneve encapsulation.
| Traffic | Recommended MTU | Minimum | Notes |
|---|---|---|---|
| Management | 1500 | 1500 | Default; jumbo not required |
| vMotion | 9000 | 1500 | Jumbo improves throughput |
| vSAN | 9000 | 1500 | Jumbo strongly recommended |
| Host Overlay / TEP (Geneve) | 1700 (or 9000) | 1600 | Must be 1600 or higher for Geneve. 1700 leaves room for the header |
| Edge Uplink | 9000 | 1600 | Match the overlay / physical path |
| Physical switch trunk | 9000 | 1600 | Must equal the largest VMkernel MTU on the path |
vmkping -d -s uses a payload size of MTU minus 28, so test 9000 with 8972 and 1600 with 1572.
C. Password Requirements
VCF components have different minimums. NSX needs 12 or more, and VCF Operations is the strictest at 15 characters. The simplest safe approach is to make every account password 15 characters or more with full complexity, which satisfies every component at once.
| Rule | Value |
|---|---|
| Minimum length | 15 characters (use this everywhere to satisfy all components) |
| Uppercase | at least 1 |
| Lowercase | at least 1 |
| Number | at least 1 |
| Special character | at least 1 |
| Not allowed | spaces, dictionary words, simple sequences |
For the exact per-component minimums, check Broadcom’s “Default Password Requirements for VCF Components” documentation.
Bottom Line
If you only have time for three checks before you deploy: confirm forward and reverse DNS for every host and management component, confirm NTP time sync across all hosts, and confirm the host certificate CN matches the FQDN. These three cause most failed VCF deployments. The rest of the items in the tables help the first run go cleanly too.
Reference: Broadcom TechDocs, VMware Cloud Foundation 9.x (deployment, vSAN network design, MTU guidance, and password requirements). Always check against the BOM for your specific 9.x build.
About The Author
