Vsphere Networking
Type of Networking Service
è
Connecting VM thorough physical network
è
Connecting VM Kernel services (such as NFS, iSCSI, or vMotion)
to the physical network
Physical NIC Adapter
ü
Named as vmnic
ü
Can connect to an access port or a trunk port
ü
Only support 802.1Q called as dot1Q trunk
ü
Physical NIC connecting a Trunk port is
necessary for VLAN Tagging while creating port group with vlan id.
Virtual Switch
ü
Named as vSwitch
ü
Two types of Virtual Switch
Standard Virtual Switch (VMware vSS)
ü
vSS having one uplink port (physical nic port )
ü
In each vSS we can have multiple Standard port group
ü
Each Port Group is set of Network Constraints for the management,
this for grouping the network parameters and performance.
ü
Management of vSS switch is limited to each host and this
reduces the manageability of the networking.
ü
As mentioned above we need to create each
standard switch and port group in each esxi host separately and needs to
administer that individually , Is it good ?! No right…
ü
Network
Traffic Classification
Inbound
Traffic
ü
Traffic coming to
VM through VNIC is called inbound
traffic
Outbound
Traffic
ü
Traffic going out
from the VM through VNIC is called –
Outbound Traffic
VLAN
ü It isolates and secures network traffic.
ü
It reduces network traffic
congestion.
Methods of Configuring
/availing VLAN in ESXI
è
External Switch Tagging
On CISCO switches port are
assigned to single VLAN it is called as Access Port
An access port doesn’t have VLAN
information and the tagging is done by the physical switch port while going out
through the interface.
Since an access port doesn’t
have VLAN information , it cannot filter the access port with VLANid , that is
the reason it is called as External switch tagging and we are giving VLAN ID
`0` for portgroup & network as it is disable vlan tagging
ESXI host connecting to an
physical access port in a cisco switch only can avail particular access vlan .
All vlan tagging is performed
by the Physical Switch.
Each time physical switch
Let say port e0 vlan 211 in
switch A connected to server X using
vmnic1 , X server only get vlan 211
through vmnic1 –eo , If any intervlan enabled b/w vlan 211 to anyother vlan ,
it can avail that as well.
Since it is access port &
doesn’t have vlan tag information only vlan id 0 should be set to access port
connecting to vswitch or a porgroup . VLAN ID 0 means all the packets will be transmitted independent of which VLAN
its coming from. Doesn't matter whether its 300 or 50.
Virtual Switch Tagging
With
VST, all VLAN tagging of packets is performed by the virtual switch before
leaving the host. Host
network
adapters must be connected to trunk ports on the physical switch. Port groups
that are connected
to
the virtual switch must have a VLAN ID between 1 and 4094.
Virtual switch
tagging is configuring here :
Configuration of VirtualSwitch (vSwitch)
To set a standard
vSwitch portgroup to trunk mode:
1.
Edit host networking
via the Virtual infrastructure Client.
2.
Click Host > Configuration > Networking > vSwitch > Properties.
3.
Click Ports > Portgroup > Edit.
4.
Click the General tab.
5.
Set the VLAN ID to 4095. A VLAN ID of
4095 represents all trunked VLANs.
- Click OK.
To set a distributed vSwitch portgroup to trunk
mode:
1.
Edit host networking
via the Virtual infrastructure Client.
2.
Click Home > Inventory > Networking.
3.
Right click on the
dvPortGroup and choose Edit Settings.
4.
Within that dvPortGroup
navigate to Policies > VLAN.
5.
Set VLAN type to VLAN Trunking and specify a range of VLANs or
specificy a list of VLANs to be passed to the Virtual Machines connected
to this portgroup.
Note: To improve security, virtual Distributed Switch es allow
you to specify a range or
selection of VLANs to trunk
rather than allowing all VLANS via
VLAN 4095 .
Virtual Guest Tagging
Standard Port Group
Configuration for: Network
Properties
Ø
General
è Network
Label : Name of the Network
è VLAN
ID: select the VLAN number from Trunk Network(vlan tagging)
Ø
Traffic
Shaping
Ø
NIC Teaming
Ø
Security
è Promiscuous
mode - Rejected by default
è MAC
Address Change – Accepted by default
è Forged
Transmits – Accepted by default
A single standard switch is associated with at least One or
More port group
VM
Network Properties
General
Network Label:
Label of the Network which is meaningful.
VLAN ID
(Optional): If the Physical port in trunk you can filter the VLAN
required using this feature.
Suppose if you want VLAN 10 only & the physical port
connected is a Trunk, can take VLAN 10 from this.
Make the Datacenter easy. Using the physical port trunk
and accessing by filtering the vlan make the datacenter preparation more faster
(no need of physical port vlan change always)
Security
Security Feature Summary
Promiscuous mode set to
Accept – Virtual Machine will get all traffic in the portgroup or in
switch for monitoring, so the user can analyze what is going on the wire.
MAC Address Changes set to
Reject - vNIC drop all traffic. (Inbound & Outbound)
Forged Transmit set to Reject - vNIC drop outgoing traffic only. (Outbound)
Forged Transmit set to Reject - vNIC drop outgoing traffic only. (Outbound)
Promiscuous mode:
SUMMARY: “For network monitoring, by default –
Rejected, by enabling this a Virtual Machine can listen & analyze the
network traffic in a port group level or in a virtual switch level. There are application available to monitor
the network traffic like wire shark and Microsoft **. This will route all the
packets in a wire to promiscuous mode enabled network located machine.”
Promiscuous
mode is a security policy which can be defined at the virtual switch or
portgroup level in vSphere ESXi. Promiscuous mode eliminates any
reception filtering that the virtual network adapter would perform so that the
guest operating system receives all traffic observed on the wire. By default,
the virtual network adapter cannot operate in promiscuous mode.
Although promiscuous mode
can be useful for tracking network activity, it is an insecure mode of operation,
because any adapter in promiscuous mode has access to the packets regardless of
whether some of the packets are received only by a particular network adapter.
This means that an administrator or root user within a virtual machine can
potentially view traffic destined for other guest or host operating systems.
When
promiscuous mode is enabled at the portgroup level, objects defined within that
portgroup have the option of receiving all incoming traffic on the vSwitch. Interfaces and virtual machines
within the portgroup will be able to see all traffic passing on the vSwitch,
but all other portgroups
within the same virtual switch do not.
VM Network is the label which I have given for
a port group here:-
Promiscuous mode enabled at
the virtual switch level.
Promiscuous
mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing
promiscuous mode. However, promiscuous mode can be explicitly disabled
at one or more portgroups within the vSwitch, which override the
vSwitch-defined default.
I have seen a
nice note here:
MAC Address Change
SUMMARY: “This for avoiding
common network attack like intruder and mac address spoofing which helps to
block the user from changing MAC-ID inside the Virtual machine OS from initial address which is recorded in
vmx file (in a physical machine burned in to the NIC & in VM
perspective MAC recorded in VM GUI properties which reflect same as vmx file of
the particular vm) to a new one. By
default –MAC address change is accepted in Standard switch of Virtual Machine,
so the user can change the MAC-ID from inside the OS. But we make it as
Rejected in portgroup or virtual switch, as soon as user change the MAC-ID from
inside the OS, the network connectivity will be lost.
This is one of the security
feature vsphere switch and this feature is allowed to narrow the scope in port
group level. If we configure “MAC
address Changes – Reject “, we are not permitted to change the MAC address from
initial MACID to new MAC id in inside the guest OS. Initial MAC-ID is already
recorded in the vmx configuration file and vmx grab this id from the VM
–Setting GUI , which automatically or manually configured.
Reject - If you set the MAC Address
Changes to Reject and the guest operating system changes the MAC
address of the adapter to anything other than what is in the.vmx configuration file, all inbound frames are
dropped.
If the Guest OS changes the MAC
address back to match the MAC address in the .vmx configuration file,
inbound frames are passed again.
Accept - Changing the MAC address from
the Guest OS has the intended effect: frames to the new MAC address are
received.
If a VM can change its MAC to whatever it wishes, it can
potentially spoof a known good MAC address and steel frames meant for another
VM. Having this security policy in place prevents a VM from doing this, either
maliciously or unintentionally, by blocking the port. There are certain use
cases where you do want two VMs to have the same MAC address, an example being
Network Load Balancing (NLB) in unicast mode.
Microsoft Server load
balancing requires same MAC ID on both machines. This is one of the application
where we required MAC-ID change.
I have seen a good tutorial
here :
Forged Transmits
SUMMARY:” It is another
security feature which VM having , in some scenario an attacked will use
different MAC-ID for spoofing the network LAN , this is by using different
MAC-ID in data link layer frame source address for availing some benefit which
intruder required . By allowing Forged Transmits (Fake Transmission of packets)
a VM user can change the MAC and can use different MAC –ID . An intruder can
easily penetrate network by allowing Forged Transmits. This is different with
MAC-Address Change as the vswitch or porgroup will only allow the initial MAC
ID & will not allowing changing of SOURCE
MAC ADDRESS OF FRAME WHILE SENDING,
this is the best difference between MAC-ID change and Forged Transition , where
an user cannot alter the frame source address while sending the frames. Due to
this some application which is changing the source address won’t work here if
the Forged Transmition is rejected.
Here the confusion is how the MAC –ID is
comparing, here is the answer, Frame Source MAC is comparing with the initial
MAC stored in the VMX file or in VM-setting GUI. If a mismatch found in Forged
Transmits Rejected state configured ports connected VM, then the VM inbound and
outbound traffic will be blocked with NO IP .(Only get automatic IP range
169.XX.XX.XX “.
CISCO UCS and Networking
recommend (MAC-security should be disabled (maximum mac-address 5 command like
that ) while Forged transmition is enabled.
To verifying this, I have
changed the MAC –ID of a Virtual Machine in GUI properties, after changing the
MAC-ID to other than initial MAC ID which is in vmx file (VM properties) , I
have observed no IP and No Network . So I roll back to default MAC by selecting
“Locally Administered account not present”.
As a security we can select
the forged transition to reject . Once the user change the MAC ID , VM won’t
get any network .
set forged-transmit
To allow or disallow the forging of MAC addresses, use the set forged-transmit command.
set forged-transmit { allow |
deny }
Syntax Description
allow
|
Specifies
that the server is allowed to forge MAC addresses.
|
deny
|
Specifies
that the server is not allowed to forge MAC addresses.
|
Command Default
Forged transmit is allowed.
Command Modes
MAC security (org/nw-ctrl-policy/mac-security)
Command History
Release
|
Modification
|
1.0(1)
|
This
command was introduced.
|
Usage Guidelines
Use this command to allow or disallow the forging of MAC addresses
by the server when sending frames. When port security is enabled in the
network, MAC address forging should be disabled for the vNICs. You can include
the set forged-transmit command in a network control
policy and then apply the policy in a vNIC service profile.
Examples
This example shows how to create a network control policy that
disables the forging of MAC addresses:
switch-A# scope org
switch-A /org # create
nw-ctrl-policy testPolicy
switch-A
/org/nw-ctrl-policy* # create mac-security
switch-A
/org/nw-ctrl-policy/mac-security* # set forged-transmit deny
switch-A
/org/nw-ctrl-policy/mac-security* # commit-buffer
switch-A
/org/nw-ctrl-policy/mac-security #
Related Commands
Command
|
Description
|
show
mac-security
|
|
show
nw-ctrl-policy
|
|
Traffic
Shaping
By default Traffic shaping is disabled and if you need
control packets passing through each port group , you can enable.
Distribute Virtual
Switch (VMware vDS)
Latest VDs
version is
vDs is only available in vSphere Enterprise Plus license
Centralized location to setup the virtual network for the
entire infrastructure.
Aggregation network at cluster level:-
Distributed vSwitches allow different hosts to use the switch
as long as they exist within the same host cluster.
Enabled centralized provisioning,administration and
monitoring
Features include
Port Group
LAB
Configured a
Distribute Switch & Check the default entity of Forged Trasmits – It is
Reject by default.
Comparison of vSS
vs vDS
Virtual NIC card
For Guest Virtual Machines
How it works
Virtual Machine used VNIC card for connecting to vSwitch
and Vswitch uses Physical NIC (vmnic )
card going outside the LAN communication.
Ingress
means
Ingress
means Incoming
Egress
means outgoing
Above picture both NIC having same
subnet and same network, so same subnet for two nic’s is required for both
nic’s.
ote: There are a number of requirements which need to be considered
before implementing any form of link aggregation. For more/related information
on these requirements, see ESXi/ESX host requirements for
link aggregation (1001938).
Link aggregation concepts:
Link aggregation concepts:
- EtherChannel: This is a link
aggregation (port trunking) method used to provide fault-tolerance and
high-speed links between switches, routers, and servers by grouping two to
eight physical Ethernet links to create a logical Ethernet link with
additional failover links. For additional information on Cisco
EtherChannel, see the EtherChannel Introduction by Cisco.
- LACP
or IEEE 802.3ad: The Link Aggregation Control Protocol (LACP) is
included in IEEE specification as a method to control the bundling of
several physical ports together to form a single logical channel. LACP
allows a network device to negotiate an automatic bundling of links by sending
LACP packets to the peer (directly connected device that also implements
LACP). For additional information on LACP see the Link Aggregation Control
Protocol whitepaper by Cisco.
Note: LACP is only supported in vSphere 5.1, using vSphere Distributed Switches (VDS) or the Cisco Nexus 1000v. - EtherChannel
vs. 802.ad:
EtherChannel and IEEE 802.3ad standards are very similar and accomplish
the same goal. There are a few differences between the two, other than
EtherChannel is Cisco proprietary and 802.3ad is an open standard.
- For additional information on
EtherChannel implementation, see the Understanding EtherChannel
Load Balancing and Redundancy on Catalyst Switches article from
Cisco.
EtherChannel supported scenarios:
- One IP to many IP connections. (Host A
making two connection sessions to Host B and C)
- Many IP to many IP connections. (Host A
and B multiple connection sessions to Host C, D, etc)
Note: One IP to one IP connections over multiple NICs is not supported. (Host A one connection session to Host B uses only one NIC). - Compatible with all ESXi/ESX VLAN
configuration modes: VST, EST, and VGT. For more information on these
modes, see VLAN Configuration on
Virtual Switch, Physical Switch, and Virtual Machines (1003806).
- Supported Cisco configuration:
EtherChannel Mode ON – ( Enable EtherChannel only)
- Supported HP configuration: Trunk Mode
- Supported switch Aggregation algorithm:
IP-SRC-DST (short for IP-Source-Destination)
- Supported Virtual Switch NIC Teaming
mode: IP HASH
Note: The only load balancing option for vSwitches or vDistributed Switches that can be used with EtherChannel is IP HASH: - Do not use beacon probing with IP HASH
load balancing.
- Do not configure standby or unused
uplinks with IP HASH load balancing.
- VMware only supports one EtherChannel
per vSwitch or vNetwork Distributed Switch (vDS).
- Lower model Cisco switches may have
MAC-SRC-DST set by default, and may require additional configuration. For
more information, see the Understanding EtherChannel
Load Balancing and Redundancy on Catalyst Switches article from
Cisco.
This is a Cisco EtherChannel sample configuration:
interface Port-channel1
switchport
switchport
access vlan 100
switchport
mode access
no
ip address
!
interface
GigabitEthernet1/1
switchport
switchport
access vlan 100
switchport
mode access
no
ip address
channel-group
1 mode on
!
ESX Server and Cisco switch sample topology and configuration:
Run this command to verify EtherChannel load balancing mode configuration:
Switch# show etherchannel
load-balance
EtherChannel
Load-Balancing Configuration:
src-dst-ip
mpls
label-ip
EtherChannel
Load-Balancing Addresses Used Per-Protocol:
Non-IP:
Source XOR Destination MAC address
IPv4:
Source XOR Destination IP address
IPv6:
Source XOR Destination IP address
MPLS:
Label or IP
Switch#
show etherchannel summary
Flags:
D - down P - bundled in port-channel
I
- stand-alone s - suspended
H
- Hot-standby (LACP only)
R
- Layer3 S - Layer2
U
- in use f - failed to allocate aggregator
M
- not in use, minimum links not met
u
- unsuitable for bundling
w
- waiting to be aggregated
Number
of channel-groups in use: 2
Number
of aggregators: 2
Group
Port-channel Protocol Ports
------+-------------+-----------+--------------------------
1
Po1(SU) - Gi1/15(P) Gi1/16(P)
2
Po2(SU) - Gi1/1(P) Gi1/2(P)
Switch#
show etherchannel protocol
Channel-group
listing:
-----------------------
Group:
1
----------
Protocol:
- (Mode ON)
Group:
2
----------
Protocol:
- (Mode ON)
HP switch sample
configuration
This configuration is specific to HP switches:
- HP switches support only two modes of
LACP: ACTIVE and PASSIVE.
Note: LACP is only supported in vSphere 5.1 with vSphere Distributed Switches and on the Cisco Nexus 1000V. - Set the HP switch port mode to TRUNK to
accomplish static link aggregation with ESXi/ESX.
- TRUNK Mode of HP switch ports is the
only supported aggregation method compatible with ESXi/ESX NIC teaming
mode IP hash.
To configure a static portchannel in an HP switch using ports 10, 11, 12, and 13, run this command:
conf
trunk
10-13 Trk1 Trunk
To verify your portchannel, run this command:
ProCurve# show trunk
Load
Balancing
Port
| Name Type | Group Type
----
+ --------- + ----- -----
10
| 100/1000T | Trk1 Trunk
11
| 100/1000T | Trk1 Trunk
12
| 100/1000T | Trk1 Trunk
13
| 100/1000T | Trk1 Trunk
Configuring load
balancing within the vSphere/VMware Infrastructure Client
To configure vSwitch properties for load balancing:
1.
Click the ESXi/ESX host.
2.
Click the Configuration tab.
3.
Click the Networking link.
4.
Click Properties.
5.
Click the virtual switch in the Ports tab and click Edit.
6.
Click the NIC Teaming tab.
7.
From the Load Balancing dropdown,
choose Route based on ip hash.
8.
Verify that there are two or more network adapters listed under Active
Adapters.
Note: The only load balancing option for vSwitches or vDistributed Switches that can be used with EtherChannel is IP HASH.
- Do not use beacon probing with IP HASH
load balancing.
- Do not configure standby or unused
uplinks with IP HASH load balancing.
- VMware supports only one EtherChannel
per vSwitch or vNetwork Distributed Switch (vDS).
- ESX/ESXi running on a blade system does
not require IP Hash load balancing if an EtherChannel exists between the
blade chassis and upstream switch. This is only required if an EtherChannel
exists between the blade and the internal chassis switch, or if the blade
is operating in a network pass-through mode with an etherchannel to the
upstream switch. For more information on these various scenarios, please
contact your blade hardware vendor.
Additional Information
For more information, see NIC teaming using EtherChannel
leads to intermittent network connectivity in ESXi (1022751).
LACP is supported on vSphere ESXi 5.1 on VMware vDistributed Switches only. For more information, see Enabling or disabling LACP on an Uplink Port Group using the vSphere Web Client (2034277) and the What's New in VMware vSphere 5.1 - Networking white paper.
For translated versions of this article, see:
LACP is supported on vSphere ESXi 5.1 on VMware vDistributed Switches only. For more information, see Enabling or disabling LACP on an Uplink Port Group using the vSphere Web Client (2034277) and the What's New in VMware vSphere 5.1 - Networking white paper.
For translated versions of this article, see:
- Español: Configuración de muestra
de EtherChannel/agregación de enlaces con ESXi/ESX y conmutadores Cisco/HP
(2034989)
- Português: Amostra de configuração do
EtherChannel/Agregação de link com switches ESX/ESXi e Cisco/HP (2037187)
- Mandarin Chinese: 与 ESXi/ESX 和 Cisco/HP 交换机的 EtherChannel/链接聚合的配置示例 (2040972)
Tags
no-access-to-external-network no-load-balancing
IP Hash is a native
vSphere switch requirement. It does not support any other load distribution
methods.
Here is the warning from
vSphere:
Notice that if I want to use EtherChannel,
I have to select IP Hash for my load balancing method, and immediately there is
a little information box warning.
Note: The term IP Hash equates to
a load distribution policy of src-dst-ip on a Cisco switch.
Static EtherChannel under other
circumstances can use any of the available load distribution policies. When
talking to a vSphere host, however, it is forced to using an IP Hash because
that is what vSphere is able to use.
If you want to use LACP with
vSphere, you are required to install a Cisco Nexus 1000Vvirtual
switch. There’s no other way to do LACP with vSphere at the time of this
writing. And, since the 1000V is a (nearly) full featured Cisco switch, instead
of a native vSphere switch, you can use any load distribution policy you want –
you are no longer limited to IP Hash (src-dst-ip)
NIC Teaming
It is for load balancing and fall
back by redundancy , It is GUI interface
where we can configure etherchannel after configuring the same ports as
etherchannel in physical switch side by cisco commands
Loadbalaning and redundancy
leaveraging from ether channel.
ETHER CHANNEL (PAGP ) IS CISCO
PROPRIETARY
LACP IS OPEN SOURCE AND DEVELOPED
BY IEEE , rfC 802.AD
LAB vmware esXI network dump collector
Configuration and Management.
Load Balancing: Route Based on IP Hash
PAGP is the protocol which cisco uses for etherchannel.
We can partition the network resource in to two connection
type where as
1.
Virtual machine connection type
2.
VMkernel network type
In VMkernel is purely optimized for vmotion ,faulttolerance
, nfs etc , with having a separate new
tcp/ip stack for services like vmotion & faulttolerance.
VMkerenel traffic always create a default root 0.0.0.0
0.0.0.0 10.223.162.251 eventhough we have not configured vmkernel traffic so
any packet which don’t have route will go to 10.223.162.251.
I said if we didn’t configured the vmkernel traffic
physically also , esxi automatically create a vmkernel traffic , ie is for vm
management network.
You can see that here in down .
vDs
Distributed switch is a specific to a data center not
specific to cluster or a host.
Only available with Enterprise Edition
Recommend to everyone if they having enterprise edition
license.
Upgrading Distributed Switch:-
Here I was trying to upgrade the distributed switch but is
not possible with current environment , In my current environment I have
installed ESXI 5.1 in the below
mentioned host and running vSD 5.0 but the reason vSD cannot upgrade to 5.5 due
to the ESXI 5.1 is not upgraded to 5.5 , Ok ..
Here I forget to say that I have upgraded the vCenter from 5.1 to 5.5 in
my current environment. Have to upgrade to esxi as well to 5.5 for upgrading
the vSD and H/W version of the VM’s.
No comments:
Post a Comment