Saturday, April 26, 2014

NETWORKING

Vsphere Networking

Type of Networking Service

è Connecting VM thorough physical network
è Connecting VM Kernel services (such as NFS, iSCSI, or vMotion) to the physical network

Physical NIC Adapter

ü  Named as vmnic
ü  Can connect to an access port or a trunk port
ü  Only support 802.1Q called as dot1Q trunk
ü  Physical NIC connecting a Trunk port is necessary for VLAN Tagging while creating port group with vlan id.

Virtual Switch

ü  Named as vSwitch
ü  Two types of Virtual Switch

Standard Virtual Switch (VMware vSS)

ü  vSS having one uplink port (physical nic port )
ü  In each vSS we can have multiple Standard port group
ü  Each Port Group is set of Network Constraints for the management, this for grouping the network parameters and performance.
ü  Management of vSS switch is limited to each host and this reduces the manageability of the networking.
ü  As mentioned above we need to create each standard switch and port group in each esxi host separately and needs to administer that individually , Is it good ?! No right…
ü   

Network Traffic Classification

Inbound Traffic
ü  Traffic coming to VM through VNIC is called inbound traffic

Outbound Traffic
ü  Traffic going out from the VM through VNIC is called – Outbound Traffic


 

VLAN


ü  It isolates and secures network traffic.
ü  It reduces network traffic congestion.
Methods of Configuring /availing VLAN in ESXI 
è External Switch Tagging
On CISCO switches port are assigned to single VLAN it is called as Access Port
An access port doesn’t have VLAN information and the tagging is done by the physical switch port while going out through the interface.
Since an access port doesn’t have VLAN information , it cannot filter the access port with VLANid , that is the reason it is called as External switch tagging and we are giving VLAN ID `0` for portgroup & network as it is disable vlan tagging
ESXI host connecting to an physical access port in a cisco switch only can avail particular access vlan .
All vlan tagging is performed by the Physical Switch.
Each time physical switch
Let say port e0 vlan 211 in switch A connected to server X  using vmnic1 , X server only  get vlan 211 through vmnic1 –eo , If any intervlan enabled b/w vlan 211 to anyother vlan , it can avail that as well.
Since it is access port & doesn’t have vlan tag information only vlan id 0 should be set to access port connecting to vswitch or a porgroup . VLAN ID 0 means all the packets will be transmitted independent of which VLAN its coming from. Doesn't matter whether its 300 or 50.
Virtual Switch Tagging
With VST, all VLAN tagging of packets is performed by the virtual switch before leaving the host. Host
network adapters must be connected to trunk ports on the physical switch. Port groups that are connected
to the virtual switch must have a VLAN ID between 1 and 4094.               


Virtual  switch tagging is configuring here :

Configuration of VirtualSwitch (vSwitch)
To set a standard vSwitch portgroup to trunk mode:
1.     Edit host networking via the Virtual infrastructure Client.
2.     Click Host > Configuration > Networking > vSwitch > Properties.
3.     Click Ports > Portgroup > Edit.
4.     Click the General tab.
5.     Set the VLAN ID to 4095. A VLAN ID of 4095 represents all trunked VLANs.
  1. Click OK.
To set a distributed vSwitch portgroup to trunk mode: 
1.     Edit host networking via the Virtual infrastructure Client. 
2.     Click Home > Inventory > Networking.
3.     Right click on the dvPortGroup and choose Edit Settings.
4.     Within that dvPortGroup navigate to Policies > VLAN.
5.     Set VLAN type to VLAN Trunking and specify a range of VLANs or specificy a list of VLANs to be passed to the Virtual Machines connected to this portgroup.
Note: To improve security, virtual Distributed Switch es allow you to specify a range or selection of VLANs to trunk rather than allowing all VLANS via VLAN 4095 .

Virtual Guest Tagging



Standard Port Group

Configuration for: Network Properties
Ø  General
è Network Label : Name of the Network
è VLAN ID: select the VLAN number from Trunk Network(vlan tagging)

Ø  Traffic Shaping

Ø   NIC Teaming

Ø  Security
è Promiscuous mode  - Rejected by default
è MAC Address Change – Accepted by default
è Forged Transmits – Accepted by default

A single standard switch is associated with at least One or More port group



VM Network Properties

General     

Network Label: Label of the Network which is meaningful.
VLAN ID (Optional): If the Physical port in trunk you can filter the VLAN required using this feature.
Suppose if you want VLAN 10 only & the physical port connected is a Trunk, can take VLAN 10 from this.
Make the Datacenter easy. Using the physical port trunk and accessing by filtering the vlan make the datacenter preparation more faster (no need of physical port vlan change always)

 

Security

Security Feature Summary
Promiscuous mode set to Accept – Virtual Machine will get all traffic in the portgroup or in switch for monitoring, so the user can analyze what is going on the wire.
MAC Address Changes set to Reject - vNIC drop all traffic. (Inbound & Outbound)
Forged Transmit set to Reject             - vNIC drop outgoing traffic only. (Outbound)

Promiscuous mode:
SUMMARY:For network monitoring, by default – Rejected, by enabling this a Virtual Machine can listen & analyze the network traffic in a port group level or in a virtual switch level.  There are application available to monitor the network traffic like wire shark and Microsoft **. This will route all the packets in a wire to promiscuous mode enabled network located machine.”
Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESXi. Promiscuous mode eliminates any reception filtering that the virtual network adapter would perform so that the guest operating system receives all traffic observed on the wire. By default, the virtual network adapter cannot operate in promiscuous mode.
Although promiscuous mode can be useful for tracking network activity, it is an insecure mode of operation, because any adapter in promiscuous mode has access to the packets regardless of whether some of the packets are received only by a particular network adapter. This means that an administrator or root user within a virtual machine can potentially view traffic destined for other guest or host operating systems.
When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the vSwitch. Interfaces and virtual machines within the portgroup will be able to see all traffic passing on the vSwitch, but all other portgroups within the same virtual switch do not.


VM Network is the label which I have given for a port group here:-
Promiscuous mode enabled at the virtual switch level.
Promiscuous mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing promiscuous mode. However, promiscuous mode can be explicitly disabled at one or more portgroups within the vSwitch, which override the vSwitch-defined default.
I have seen a nice note here:

MAC Address Change
SUMMARY: “This for avoiding common network attack like intruder and mac address spoofing which helps to block the user from changing MAC-ID inside the Virtual machine OS from initial address which is recorded in vmx file (in a physical machine burned in to the NIC & in VM perspective MAC recorded in VM GUI properties which reflect same as vmx file of the particular vm) to a new one. By default –MAC address change is accepted in Standard switch of Virtual Machine, so the user can change the MAC-ID from inside the OS. But we make it as Rejected in portgroup or virtual switch, as soon as user change the MAC-ID from inside the OS, the network connectivity will be lost.
This is one of the security feature vsphere switch and this feature is allowed to narrow the scope in port group level.  If we configure “MAC address Changes – Reject “, we are not permitted to change the MAC address from initial MACID to new MAC id in inside the guest OS. Initial MAC-ID is already recorded in the vmx configuration file and vmx grab this id from the VM –Setting GUI , which automatically or manually configured.
Reject - If you set the MAC Address Changes to Reject and the guest operating system changes the MAC address of the adapter to anything other than what is in the.vmx configuration file, all inbound frames are dropped.
If the Guest OS changes the MAC address back to match the MAC address in the .vmx configuration file, inbound frames are passed again.
Accept - Changing the MAC address from the Guest OS has the intended effect: frames to the new MAC address are received.
If a VM can change its MAC to whatever it wishes, it can potentially spoof a known good MAC address and steel frames meant for another VM. Having this security policy in place prevents a VM from doing this, either maliciously or unintentionally, by blocking the port. There are certain use cases where you do want two VMs to have the same MAC address, an example being Network Load Balancing (NLB) in unicast mode.
Microsoft Server load balancing requires same MAC ID on both machines. This is one of the application where we required MAC-ID change.

I have seen a good tutorial here :

Forged Transmits
SUMMARY:” It is another security feature which VM having , in some scenario an attacked will use different MAC-ID for spoofing the network LAN , this is by using different MAC-ID in data link layer frame source address for availing some benefit which intruder required . By allowing Forged Transmits (Fake Transmission of packets) a VM user can change the MAC and can use different MAC –ID . An intruder can easily penetrate network by allowing Forged Transmits. This is different with MAC-Address Change as the vswitch or porgroup will only allow the initial MAC ID & will not allowing changing of SOURCE  MAC ADDRESS OF FRAME WHILE SENDING, this is the best difference between MAC-ID change and Forged Transition , where an user cannot alter the frame source address while sending the frames. Due to this some application which is changing the source address won’t work here if the Forged Transmition is rejected.
 Here the confusion is how the MAC –ID is comparing, here is the answer, Frame Source MAC is comparing with the initial MAC stored in the VMX file or in VM-setting GUI. If a mismatch found in Forged Transmits Rejected state configured ports connected VM, then the VM inbound and outbound traffic will be blocked with NO IP .(Only get automatic IP range 169.XX.XX.XX “.
CISCO UCS and Networking recommend (MAC-security should be disabled (maximum mac-address 5 command like that ) while Forged transmition is enabled.
To verifying this, I have changed the MAC –ID of a Virtual Machine in GUI properties, after changing the MAC-ID to other than initial MAC ID which is in vmx file (VM properties) , I have observed no IP and No Network . So I roll back to default MAC by selecting “Locally Administered account not present”.
As a security we can select the forged transition to reject . Once the user change the MAC ID , VM won’t get any network .


set forged-transmit
To allow or disallow the forging of MAC addresses, use the set forged-transmit command.
set forged-transmit { allow | deny }
Syntax Description
allow
Specifies that the server is allowed to forge MAC addresses.
deny
Specifies that the server is not allowed to forge MAC addresses.
Command Default
Forged transmit is allowed.
Command Modes
MAC security (org/nw-ctrl-policy/mac-security)
Command History
Release
Modification
1.0(1)
This command was introduced.
Usage Guidelines
Use this command to allow or disallow the forging of MAC addresses by the server when sending frames. When port security is enabled in the network, MAC address forging should be disabled for the vNICs. You can include the set forged-transmit command in a network control policy and then apply the policy in a vNIC service profile.
Examples
This example shows how to create a network control policy that disables the forging of MAC addresses:
switch-A# scope org
switch-A /org # create nw-ctrl-policy testPolicy
switch-A /org/nw-ctrl-policy* # create mac-security
switch-A /org/nw-ctrl-policy/mac-security* # set forged-transmit deny
switch-A /org/nw-ctrl-policy/mac-security* # commit-buffer
switch-A /org/nw-ctrl-policy/mac-security #
Related Commands
Command
Description
show mac-security

show nw-ctrl-policy


Traffic Shaping


By default Traffic shaping is disabled and if you need control packets passing through each port group , you can enable.




Distribute Virtual Switch (VMware vDS)

Latest VDs version is
vDs is only available in vSphere Enterprise Plus license
Centralized location to setup the virtual network for the entire infrastructure.
Aggregation network at cluster level:-
Distributed vSwitches allow different hosts to use the switch as long as they exist within the same host cluster.
Enabled centralized provisioning,administration and monitoring
Features include
Port Group

LAB
Configured a Distribute Switch & Check the default entity of Forged Trasmits – It is Reject by default.


Comparison of vSS vs vDS

Virtual NIC card
For Guest Virtual Machines
How it works
Virtual Machine used VNIC card for connecting to vSwitch and  Vswitch uses Physical NIC (vmnic ) card going outside the LAN communication.
Ingress means






















Ingress means Incoming
Egress means outgoing



               







Above picture both NIC having same subnet and same network, so same subnet for two nic’s is required for both nic’s.


           
ote: There are a number of requirements which need to be considered before implementing any form of link aggregation. For more/related information on these requirements, see ESXi/ESX host requirements for link aggregation (1001938).

Link aggregation concepts:
  • EtherChannel: This is a link aggregation (port trunking) method used to provide fault-tolerance and high-speed links between switches, routers, and servers by grouping two to eight physical Ethernet links to create a logical Ethernet link with additional failover links. For additional information on Cisco EtherChannel, see the EtherChannel Introduction by Cisco.
  • LACP or IEEE 802.3ad: The Link Aggregation Control Protocol (LACP) is included in IEEE specification as a method to control the bundling of several physical ports together to form a single logical channel. LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to the peer (directly connected device that also implements LACP). For additional information on LACP see the Link Aggregation Control Protocol whitepaper by Cisco. 

    Note: LACP is only supported in vSphere 5.1, using vSphere Distributed Switches (VDS) or the Cisco Nexus 1000v.
  • EtherChannel vs. 802.ad: EtherChannel and IEEE 802.3ad standards are very similar and accomplish the same goal. There are a few differences between the two, other than EtherChannel is Cisco proprietary and 802.3ad is an open standard.
  • For additional information on EtherChannel implementation, see the Understanding EtherChannel Load Balancing and Redundancy on Catalyst Switches article from Cisco.

EtherChannel supported scenarios:
  • One IP to many IP connections. (Host A making two connection sessions to Host B and C)
  • Many IP to many IP connections. (Host A and B multiple connection sessions to Host C, D, etc)

    Note: One IP to one IP connections over multiple NICs is not supported. (Host A one connection session to Host B uses only one NIC).
  • Compatible with all ESXi/ESX VLAN configuration modes: VST, EST, and VGT. For more information on these modes, see VLAN Configuration on Virtual Switch, Physical Switch, and Virtual Machines (1003806).
  • Supported Cisco configuration: EtherChannel Mode ON – ( Enable EtherChannel only)
  • Supported HP configuration: Trunk Mode
  • Supported switch Aggregation algorithm: IP-SRC-DST (short for IP-Source-Destination)
  • Supported Virtual Switch NIC Teaming mode: IP HASH

    Note: The only load balancing option for vSwitches or vDistributed Switches that can be used with EtherChannel is IP HASH:
    • Do not use beacon probing with IP HASH load balancing.
    • Do not configure standby or unused uplinks with IP HASH load balancing.
    • VMware only supports one EtherChannel per vSwitch or vNetwork Distributed Switch (vDS).
  • Lower model Cisco switches may have MAC-SRC-DST set by default, and may require additional configuration. For more information, see the Understanding EtherChannel Load Balancing and Redundancy on Catalyst Switches article from Cisco.

This is a Cisco EtherChannel sample configuration:

interface Port-channel1
switchport
switchport access vlan 100
switchport mode access
no ip address
!
interface GigabitEthernet1/1
switchport
switchport access vlan 100
switchport mode access
no ip address
channel-group 1 mode on
!


ESX Server and Cisco switch sample topology and configuration:



Run this command to verify EtherChannel load balancing mode configuration:

Switch# show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip
mpls label-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
MPLS: Label or IP

Switch# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+--------------------------
1 Po1(SU) - Gi1/15(P) Gi1/16(P)
2 Po2(SU) - Gi1/1(P) Gi1/2(P)

Switch# show etherchannel protocol
Channel-group listing:
-----------------------
Group: 1
----------
Protocol: - (Mode ON)
Group: 2
----------
Protocol: - (Mode ON)

HP switch sample configuration

This configuration is specific to HP switches:
  • HP switches support only two modes of LACP: ACTIVE and PASSIVE.

    Note: LACP is only supported in vSphere 5.1 with vSphere Distributed Switches and on the Cisco Nexus 1000V.
  • Set the HP switch port mode to TRUNK to accomplish static link aggregation with ESXi/ESX.
  • TRUNK Mode of HP switch ports is the only supported aggregation method compatible with ESXi/ESX NIC teaming mode IP hash.

To configure a static portchannel in an HP switch using ports 10, 11, 12, and 13, run this command:

conf
trunk 10-13 Trk1 Trunk


To verify your portchannel, run this command:

ProCurve# show trunk
Load Balancing
Port | Name Type | Group Type
---- + --------- + ----- -----
10 | 100/1000T | Trk1 Trunk
11 | 100/1000T | Trk1 Trunk
12 | 100/1000T | Trk1 Trunk
13 | 100/1000T | Trk1 Trunk

Configuring load balancing within the vSphere/VMware Infrastructure Client

To configure vSwitch properties for load balancing:
1.     Click the ESXi/ESX host.
2.     Click the Configuration tab.
3.     Click the Networking link.
4.     Click Properties.
5.     Click the virtual switch in the Ports tab and click Edit.
6.     Click the NIC Teaming tab.
7.     From the Load Balancing dropdown, choose Route based on ip hash.
8.     Verify that there are two or more network adapters listed under Active Adapters.



Note: The only load balancing option for vSwitches or vDistributed Switches that can be used with EtherChannel is IP HASH.
  • Do not use beacon probing with IP HASH load balancing.
  • Do not configure standby or unused uplinks with IP HASH load balancing.
  • VMware supports only one EtherChannel per vSwitch or vNetwork Distributed Switch (vDS).
  • ESX/ESXi running on a blade system does not require IP Hash load balancing if an EtherChannel exists between the blade chassis and upstream switch. This is only required if an EtherChannel exists between the blade and the internal chassis switch, or if the blade is operating in a network pass-through mode with an etherchannel to the upstream switch. For more information on these various scenarios, please contact your blade hardware vendor. 

Additional Information

For more information, see NIC teaming using EtherChannel leads to intermittent network connectivity in ESXi (1022751).

LACP is supported on vSphere ESXi 5.1 on VMware vDistributed Switches only. For more information, see 
Enabling or disabling LACP on an Uplink Port Group using the vSphere Web Client (2034277) and the What's New in VMware vSphere 5.1 - Networking white paper.


For translated versions of this article, see:

Tags

no-access-to-external-network no-load-balancing


IP Hash is a native vSphere switch requirement. It does not support any other load distribution methods.
Taken from the vSphere Networking guide
Here is the warning from vSphere:
Notice that if I want to use EtherChannel, I have to select IP Hash for my load balancing method, and immediately there is a little information box warning.
Note: The term IP Hash equates to a load distribution policy of src-dst-ip on a Cisco switch.
Static EtherChannel under other circumstances can use any of the available load distribution policies. When talking to a vSphere host, however, it is forced to using an IP Hash because that is what vSphere is able to use.
If you want to use LACP with vSphere, you are required to install a Cisco Nexus 1000Vvirtual switch. There’s no other way to do LACP with vSphere at the time of this writing. And, since the 1000V is a (nearly) full featured Cisco switch, instead of a native vSphere switch, you can use any load distribution policy you want – you are no longer limited to IP Hash (src-dst-ip)



NIC Teaming
It is for load balancing and fall back  by redundancy , It is GUI interface where we can configure etherchannel after configuring the same ports as etherchannel in physical switch side by cisco commands

Loadbalaning and redundancy leaveraging from ether channel.

ETHER CHANNEL (PAGP ) IS CISCO PROPRIETARY
LACP IS OPEN SOURCE AND DEVELOPED BY IEEE , rfC 802.AD

LAB vmware esXI network dump collector Configuration and Management.



Load Balancing: Route Based on IP Hash
PAGP is the protocol which cisco uses for etherchannel.













We can partition the network resource in to two connection type where as
1.       Virtual machine connection type
2.       VMkernel network type
In VMkernel is purely optimized for vmotion ,faulttolerance , nfs etc ,  with having a separate new tcp/ip stack for services like vmotion & faulttolerance.
VMkerenel traffic always create a default root 0.0.0.0 0.0.0.0 10.223.162.251 eventhough we have not configured vmkernel traffic so any packet which don’t have route will go to 10.223.162.251.
I said if we didn’t configured the vmkernel traffic physically also , esxi automatically create a vmkernel traffic , ie is for vm management network.

You can see that here in down .













vDs
Distributed switch is a specific to a data center not specific to cluster or a host.
Only available with Enterprise Edition
Recommend to everyone if they having enterprise edition license.

Upgrading Distributed Switch:-
Here I was trying to upgrade the distributed switch but is not possible with current environment , In my current environment I have installed  ESXI 5.1 in the below mentioned host and running vSD 5.0 but the reason vSD cannot upgrade to 5.5 due to the ESXI 5.1 is not upgraded to 5.5 , Ok ..  Here I forget to say that I have upgraded the vCenter from 5.1 to 5.5 in my current environment. Have to upgrade to esxi as well to 5.5 for upgrading the vSD and H/W version of the VM’s.



No comments:

Post a Comment