Objective 3.2 – Configure and Manage vDS Policies

Principles

  • Compare and contrast common vDS policies
  • Configure dvPortgroup blocking policies
  • Explain benefits of Multi-Instance TCP/IP stack
  • Configure load balancing and failover policies
  • Configure VLAN settings
  • Configure traffic shaping policies
  • Enable TCP Segmentation Offload (TOE) support for a virtual machine
  • Enable Jumbo Frame support on appropriate components
  • Determine appropriate VLAN configuration for a vSphere implementation
  • Understand how DSCP is handled in a VXLAN frame

References

  • vsphere-esxi-vcenter-server-60-installation-setup-guide.pdf

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-installation-setup-guide.pdf

  • vsphere-esxi-vcenter-server-651-networking-guide.pdf

https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-651-networking-guide.pdf

  • vmw-nsx-palo-alto-networks-solution-brief.pdf

http://www.vmware.com/files/pdf/products/nsx/vmw-nsx-palo-alto-networks.pdf

  • vsphere-esxi-vcenter-server-65-installation-setup-guide.pdf

https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-installation-setup-guide.pdf

Compare and contrast common vDS policies

Policy Object Level

vDS network policies can be applied with varying levels of granularity:

  • Distributed Port Group (DPG)

Policy applied to all ports in the group

  • Distributed Port

Over-ride DPG policies at an individual port level

  • Uplink Port Group (UPG)

Policy applied to all uplink port groups

  • Uplink Port

Over-ride UPG policies at an individual uplink port level e.g. use a particular Uplink port for a specific VM

Note: Unlike the vSphere Standard Switch (VSS), policies cannot be applied to the vDS at a Global Level.

Policy Types

The following types of network policies are applicable to the vDS:

  • Teaming and Failover
    • NIC teaming policy can be set at Port Group or vDS level
      • Include two or more physical NICs in a team and configure NIC failover order
    • Configure traffic load balancing algorithms
      • vDS only balances outgoing traffic
    • Network Failure Detection Policy
      • Link status only

Relies on NIC to report network status. Does not allow for configuration errors such as STP blocked ports or VLAN configuration errors

      • Beacon probing

Sends and listens for Ethernet broadcast frames or beacon probes. Useful for detecting failure where NIC doesn’t report link-down event. Use when there are at least 3 NICs in a team

    • Failback Policy
      • Brings a NIC back online following a failure i.e. it takes its place back. This can be problematic if the link is flapping and can lead to a port being blocked by the physical switch. To mitigate disable STP on the physical switch.
    • Notify Switches Policy
      • Virtual Switch sends updates to the physical network switches when NIC failover occurs, so they can update lookup tables
  • VLAN
    • Configures where a VLAN tag is applied to 802.1q traffic
      • External Switch Tagging (EST): Tagging is delegated to an external switch
      • Virtual Switch Tagging (VST): Tagging is applied by the vDS
      • Virtual Guest Tagging (VGT): Tagging is applied by Virtual Machines
  • Security Policy
    • Provides protection of traffic against MAC address impersonation and unwanted port scanning
    • Security policy implemented at Layer 2
    • Set on a Port Group or Port level
    • Promiscuous Mode:
      • Reject: VM only receives frames addressed to it
      • Accept: All frames are forwarded to a VM. Insecure and used for Port Scanners, Intrusion Detectors etc.
    • MAC Address changes:
      • Reject: If a guest OS changes the MAC address of a network adapter (as configured in the VMs .vmx file), the virtual switch drops inbound packets to the adapter
      • Accept: Changes to the MAC address are permitted and the virtual switch configures to forward frames to the VM
      • Forged transmits:
        • Reject: Virtual Switch drops outbound packets from a VM if the MAC address doesn’t match the one configured in the VMs .vmx file
        • Accept: All outbound frames are permitted, even if the MAC address is different from that configured in the VMs .vmx file
  • Traffic Shaping
    • Control bandwidth available to vDS network ports on inbound and outbound traffic
    • Also permit traffic bursts
  • Resources allocation
    • Associate a Distributed Port or Group with a user-defined network resource pool e.g. bandwidth allocation
    • Use in conjunction with vSphere Network I/O Control version 2 or 3
  • Monitoring
    • Configure Netflow on Distributed Ports or Groups
  • Traffic filtering and marking
    • Filter specific traffic from the switch e.g. for security purposes
    • Apply QoS packet marking: either L2 COS or L3 DSCP
  • Port blocking
    • Selectively block ports

Configure dvPortgroup blocking policies

Edit the Port Blocking Policy for a Distributed Port Group

Port blocking policies selectively block traffic from Distributed Ports or Groups

  1. In the vSphere Web Client, navigate to the distributed switch
  2. Right-click the distributed switch in the object navigator and select Distributed Port Group > Manage Distributed Port Groups
  3. Select the Miscellaneous check box and click Next
  4. Select one or more distributed port group to configure and click Next
  5. From the Block all ports drop-down menu, enable or disable port blocking, and click Next
  6. Review your settings and click Finish.

Edit the Blocking Policy for a Distributed Port or Uplink Port

You can block an individual distributed port or uplink port.
Prerequisites: Enable the port-level overrides on the DPG (DPG->Settings-> Advanced->Override port policies)

  1. Navigate to a distributed switch and then navigate to a distributed port or an uplink port
    1. To navigate to the distributed ports of the switch, click Networks > Distributed Port Groups, double-click a distributed port group from the list, and click the Ports tab.
    2. To navigate to the uplink ports of an uplink port group, click Networks > Uplink Port Groups, double-click an uplink port group from the list, and click the Ports tab
  2. Select a port from the list
  3. Click Edit distributed port settings
  4. In the Miscellaneous section, select the Override check box, and from the drop-down menu enable or disable port blocking
  5. Click OK

Explain benefits of Multi-Instance TCP/IP stack

Multiple TCP/IP stacks provide a means to isolate traffic based on application requirements to improve performance, management and security.

The following TCP/IP Stacks are supported at the VMkernel level:

  • Default
    • Handles Management, IP Storage, vMotion and Fault Tolerance and traffic
  • vMotion
    • Use in place of Default stack for better traffic isolation
    • Once VMkernel ports are configured on this stack, any vMotion kernel ports on the management stack are disabled
  • Provisioning
    • Supports VM Migration, Cloning and Snapshot creation traffic
    • Handles NFC traffic during long distance vMotion migration
    • Once VMkernel ports are configured on this stack, any adapters on the Management stack are disabled for provisioning traffic
  • Custom
    • Custom stacks can be created to handle traffic for custom applications

Configure load balancing and failover policies

  • Include 2+ Physical NIC Team to increase the network capacity
  • Configure failover order in case of adapter failure
  • Select load balancing algorithm for physical NICs in a team
  1. In the vSphere Web Client, navigate to the distributed switch
  2. Navigate the Teaming and Failover policy on the distributed port group or port
  3. From the Load balancing drop-down menu, specify how the virtual switch load balances the outgoing traffic between the physical NICs in a team
  4. From the Network failure detection drop-down menu, select the method that the virtual switch uses for failover detection
  5. Specify how the uplinks in a team are used when a failover occurs by configuring the Failover Order list

See “Configure NIC Teaming, Failover, and Load balancing on a Distributed Port Group or Distributed Port” section of the vSphere 6.5 networking guide for full details.

Load Balancing Policies

The Load Balancing policy determines how network traffic is distributed between the network adapters in a NIC team. vSphere virtual switches load balance only the outgoing traffic. Incoming traffic is controlled by the load balancing policy on the physical switch. The following policies are available:

  • Route Based on Originating Virtual Port

Select uplink based on VM port ID

  • Route Based on Source MAC Hash

Select uplink based on VM MAC Address and number of uplinks in the NIC team

  • Route Based on IP Hash

Select uplink based on source and destination IP address of each packet

  • Route Based on Physical NIC Load

Similar to “Route Based on Originating Virtual Port” whilst also taking utilisation of uplinks into account to avoid overload

  • Use Explicit Failover Order

Select uplink based on configured order: Active/Standby

Configure VLAN settings

The scope of VLAN policies can be distributed port groups and ports, and uplink port groups and ports.

  1. In the vSphere Web Client, navigate to the distributed switch
  2. Navigate to the VLAN policy on the distributed port group or distributed port
  3. From the VLAN type drop-down menu, select the type of VLAN traffic filtering and marking, and click Next

See “Configure VLAN Tagging on a Distributed Port Group or Distributed Port” section of the vSphere 6.5 networking guide for full details.

Configure traffic shaping policies

Traffic shaping policies control:

  • Outbound traffic on standard switches
  • Inbound + Outbound traffic on distributed switches

Policies are defined by:

  • Average Bandwidth

Average bits per second to permit across a Port

  • Peak Bandwidth

Maximum bps to permit across a port during bursts

  • Burst Size

Maximum number of bytes to allow in a burst. Burst only available if Port is not fully utilised as its allocated average bandwidth

  1. In the vSphere Web Client, navigate to the host
  2. On the Configure tab, expand Networking and select Virtual switches
  3. Navigate to the traffic shaping policy on the standard switch or port group
  4. Configure traffic shaping policies (Average/Peak Bandwidth, Burst Size)

See “Configure VLAN Tagging on a Distributed Port Group or Distributed Port” section of the vSphere 6.5 networking guide for full details.

Enable TCP Segmentation Offload (TOE) support for a virtual machine

  • Used to improve network performance for workloads with severe latency requirements
  • Network adapter divides larger data chunks into TCP segments instead of the CPU
  • Enable on physical NICs, VMkernel and guest OS adapter
  • Enabled VMkernel and Virtual Machine VMXNET 2, 3 by default

For further details see “TCP Segmentation Offload” section of the vSphere 6.5 networking guide for full details.

Enable Jumbo Frame support on appropriate components

Enable Jumbo Frames on a vSphere Distributed Switch

  1. In the vSphere Web Client, navigate to the distributed switch
  2. On the Configure tab, expand Settings and select Properties
  3. Click Edit
  4. Click Advanced and set the MTU property to a value greater than 1500 bytes.

You cannot set the MTU size to a value greater than 9000 bytes

  1. Click OK

For further details see “Jumbo Frames” section of the vSphere 6.5 networking guide for full details.

Determine appropriate VLAN configuration for a vSphere implementation

  • Configure the correct VLAN for each port group, including VMkernel Ports e.g. vMotion, Fault Tolerance
  • Traffic that does not need to be tagged should have value of “0” for VLAN Tag
  • Configure the correct Transport VLAN ID when enabling a cluster for NSX

Understand how DSCP is handled in a VXLAN frame

  • L2 COS and L3 DSCP markings supported
  • DSCP markings from a VM can be trusted or over-written at the Logical Switch level
  • The resultant DSCP value is always carried in the outer IP header of VXLAN encapsulated frames