VCP 4 Prep Objective 2.1 – Configure Virtual Switches

Objective 2.1 – Configure Virtual Switches

Understand Virtual Switch and ESX/ESXi NIC port maximums

The configuration maximums for a virtual switch on ESX/ESXi are:

  • 4096 is the number of network switch ports per host when using distributed and standard virtual switches (4088 usable as 8 are reserved for ESX/ESXi use).
  • The minimum number of ports a switch can have is 8 usable.
  • The first vSwitch is created with 56 ports, subsequent switches are configured with 120 usable ports.
  • 1016 is the maximum number of active switch ports per host when using distributed and standard virtual switches.
  • 512 port groups per standard switch
  • 5000 static or dynamic port groups per distributed switch
  • 20000 ports per distributed switch; this number also applies to the switch ports per vCenter
  • 32 distributed switches per vCenter
  • 16 distributed switches per host
  • 350 hosts per distributed switch
  • 248 standard switches per host

The configuration maximums for a ESX/ESXi host network adapters are:

  • 32 Intel e1000 1GB adapters (PCI-x) 
  • 24 Intel e1000 1GB adapters (PCI-e)
  • 16 Broadcom 1GB adapters (bnx2)
  • 32 Broadcom 1GB adapters (tg3)
  • 4 Broadcom 10GB adapters (bnx2x)
  • 2 VMDirectPath devices per VM
  • 8 VMDirectPath devices per host

Determine the vSwitch NIC teaming policy in a given situation

Virtual switches with multiple adapters can utilise the following teaming policies:

Route based on the originating virtual port ID will map an uplink to that virtual port, that virtual port will always use that uplink as long as the uplink is up.

Route based on IP Hash allows a virtual machine to use multiple uplinks simultaneously, in order for the physical switch to support this functionality the physical switch ports must be configured for 802.3ad link aggregation (etherchannel in a Cisco world).

Route based on source MAC address works in a very similar way to the virtual port ID NIC teaming functionality, the only difference is this time the VMKernel maps the source MAC address to a uplink.

Explicit failover is used when the underlying switch network doesn’t support redundant links or there is no requirement for large throughput.

When you have specified the NIC teaming policy you should change the following settings depending on your situation / scenario:

Network failover detection; by default this is set to link status only, link status only detects failures between the network adapter and its respective switch port. The alternative is beacon probing; beacon probing sends a packet down one of the active adapters; the packet is destined for the other active adapter, if the packet is received then the physical switch topology is considered to be functioning. Beacon probing is not recommended and should only be used when the physical switch network doesn’t support redundancy.

Notify switches; by default this is set to yes thus if a network adapter failover occurs then the VMware host will notify the switch that it should update its MAC table (the actual notification is a reverse ARP) to the new active network adapter; vMotion and virtual machines powering on also trigger switch notification. If notify switches is set to no, the virtual machines and active clients will experience downtime.

Failback; by default this is set to yes thus for example if a network adapter was flapping and that network adapter was the preferred network adapter you would see networking issues.

Determine the appropriate vSwitch security policies in a given situation

Virtual switches and port groups have the following configurable layer two security features:

Promiscuous mode by default is configured to reject; this means by default a virtual machine with a packet sniffing application can only capture packets destined for itself. If promiscuous mode was configured to accept then the virtual machine would be able to capture all packets sent to the switch.

MAC address changes are accepted by default; this allows a virtual machine to recieve ethernet frames with a different MAC address than the one configured in the virtual machines vmx file. A real world example would be a virtual machine which runs Microsoft Windows with Microsoft Network Load Balancing enabled.

Forged transmits are accepted by default; this allows a virtual machine to send ethernet frames with a different MAC address than the one configured in the the virtual machines vmx file.

Create / Delete Virtual Switches

Create via the UI: Configuration tab > Networking > Add Networking > [Virtual Machine | VMKernel | Service Console] > Next > Enter a network label > Next > Finish

Create via the CLI: esxcfg-vswitch -a {vSwitch Name}

Delete via the UI:  Configuration tab > Networking > select Remove above the existing virtual switch > select Yes from the UI prompt

Delete via the CLI: esxcfg-vswitch -d {vSwitch Name}

Create Ports / Port Groups

Port groups can be added to virtual switches via the vSphere client or CLI.

UI: Configuration tab > Networking > select the Properties of an existing virtual switch > Add >  [Virtual Machine | VMKernel | Service Console]  > Next > Name the port group > Next > Finish

CLI: esxcfg-vswitch -A {Port Group Name}

Port group VLAN ID 4095 is used to forward frames onto other VLAN on that switch.  

If the default number of ports available on the switch is not enough or too many then you can change the number of available port via the vSphere client. 

UI: Configuration tab > networking > select the Properties of an existing virtual switch > select the virtual switch > edit > select the general tab > set the number of ports from the drop down list > OK > Close

In order for the changes to take effect the host must be rebooted. 

Assign Physical adapters

Physical adapters can be assigned to virtual switches via the vSphere client or CLI.

UI: Configuration tab > Networking > select the virtual switch > Properties > Select the adapters tab > Click add > select an adapter > define whether the adapter is Active or Standby > Next > Finish > Close

CLI: esxcfg-vswitch -L {VMkernel NIC number} {Virtual Switch Name}

Modify vSwitch NIC Teaming and failover policies

The vSwitch NIC teaming policy can be modified via the vSphere client.

UI: Configuration tab > Networking > select Properties of an exisitng virtual switch > select [virtual switch | port group name] > NIC teaming tab > select the appropriate setting from the load balancing drop down list > select the appropriate setting from the network failover detection drop down list > select [Yes | No] from the notify switches drop down list > select [Yes | No] from the failback drop down list > configure the failover order (if applicable) > ok > close 

Modify vSwitch security policy and VLAN settings

The vSwitch security and VLAN configuration can be configured via the vSphere client and CLI.

Configure VLAN via the UI: Configuration tab > Networking > select Properties of an existing virtual switch > select port group > edit > enter a VLAN ID > ok > close

Configure VLAN via the CLI: esxcfg-vswitch vSwitch1 -p {Port Group Name} -v {VLAN ID}

Configure security settings via the UI: Configuration tab > Networking > select Properties of an existing virtual switch > select [virtual switch | port group] > edit > security tab > configure the layer two security policies as required > ok > close

Configure vMotion

vMotion is configured using a VMKernel port; VMKernel ports can be configured via the vSphere client or CLI.

UI: Configuration tab > Networking > Add Networking > VMKernel > Next > Create a virtual switch or select an existing one > Select applicable NICs > Next > Name the port group > Enter a VLAN ID [1-4096] > Check the box Use this port group for vMotion > Select IPv4, IPv6 or IPv4 and Ipv6 networking > Next > Select DHCP or specify an address > specify a VMKernel gateway > Next > Finish

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s