Configuring vSphere Networking Flashcards
List the different virtual switch connection types
VM ports
VMkernel ports - IP storage, vSphere vMotion migration, vSphere Fault Tolerance (FA), vSAN, vSphere Replication and the ESXi management network
Uplink ports
VM ports and VMkernel ports exist in port groups
What are the two types of switches available in vCenter?
standard and distributed
standard switch: virtual switch that is configured for a single host
distributed switch: virtual switch that is configured for an entire data center; up to 2,000 hosts can be attached to the same distributed switch; the configuration is consistent across all attached hosts; hosts must either have an Enterprise Plus License or belong to a vSAN cluster
What are the benefits of using VLANs in regards to virtual switching?
VLANs provide for logical groupings of switch ports. All virtual machines or ports in a VLAN communicate as if they are on the same physical LAN segment. A VLAN is a software configured broadcast domain. Using a VLAN provides the following benefits:
- creating of logical networks that are not based on the physical topology
- improved performance by confining broadcast traffic to a subset of ports on a switch
- cost savings by partitioning the network without the overhead of deploying new routers
How do you view an ESXi host’s virtual standard switch?
In the vSphere Client, selecting the host and under Networking, select Virtual switches and then select Configure
What services can be enabled on a VMkernel port? Describe each of them.
vMotion: allows the VMkernel adapter to advertise itself to another host as the network connection where vSphere vMotion traffic is sent.
Provisioning: handles the data transferred for virtual machine cold migration, cloning, and snapshot migration
Fault Tolerance logging: activates Fault Tolerance logging on the host
Management: activates the management traffic for the host and vCenter
vSphere Replication: handles the outgoing replication data that is sent from the source ESXi host to the vSphere Replication server
vSphere Replication NFC: handles the incoming replication data on the target replication site
vSAN: activates the vSAN traffic on the host
vSphere Backup NFC: VMkernel port setting for dedicated backup NFC traffic
NVMe over TCP: VMkernel port setting for dedicated NVMe over TCP storage traffic. NVMe over TCP storage traffic goes through the VMkernel Adapter when NVMe over TCP adapter is enabled
NVMe over RDMA: VMkernel port setting for dedicated NVMe over RDMA storage traffic. NVMe over RDMA storage traffic goes through the VMkernel Adapter when NVMe over RDMA adapter is enabled
Where do you set default networking policies for standard and distributed switches?
On a standard vCenter switch the default networking policy is set at the switch level. You may override the default policy by setting policies at the port group level
On a distributed vCenter switch the default networking policy is set at the distributed port group level. You may override the default policy by setting policies at the individual port level.
What does the networking security policy provide protection against?
MAC spoofing or MAC address impersonation and unwanted port scanning
When would a traffic shaping policy be useful?
when you want to limit the amount of traffic to a VM or a group of VMs
What security policy options are available when editing settings in a virtual network?
Promiscuous mode - Promiscuous mode allows a virtual switch or port group to forward all traffic, regardless of their destinations. The default is Reject.
MAC address changes - If this option is set to Reject and the guest attempts to change the MAC address assigned to the virtual NIC, it stops receiving frames. The default is Reject. Keep the default setting to help protect against attacks launched by a rogue guest operating system.
Forged transmits - A frame’s source address field may become altered by the guest and contain a MAC address other than the assigned virtual NIC MAC address. You can set the Forged Transmits parameter to accept or reject such frames. The default is Reject. Keep
the default setting to help protect against attacks launched by a rogue guest operating system.
What are some examples of scenarios in which you would want to change the default security policy of Reject to Accept?
Set Promiscuous mode to Accept to use an application in a VM that analyzes or sniffs
packets, such as a network-based intrusion detection system.
Set MAC address changes and Forged transmits to Accept if your applications change the mapped MAC address, as do some guest operating system-based firewalls.
What is network traffic shaping?
is a mechanism for limiting a virtual machine’s consumption of
available network bandwidth.
Average rate, peak rate, and burst size are configurable
Network traffic shaping is deactivated by default
What are the available load balancing options for NIC teaming?
Route based on IP hash
Route based on source MAC hash
Route based on originating virtual port
Use explicit failover order
Describe NIC teaming.
NIC teaming increases the network bandwidth of the switch and provides redundancy; With NIC teaming, you can increase the network capacity of a port group by including two or
more physical NICs in a team
physical NICs = uplink ports
Describe the load balancing method Originating Virtual Port ID
With the load balancing method that is based on the originating virtual port ID, a virtual machine’s outbound traffic is mapped to a specific physical NIC
This method has advantages:
- Traffic is evenly distributed if the number of virtual NICs is greater than the number of physical NICs in the team.
- Algorithm overhead is low because, in most cases, the virtual switch calculates uplinks for the VM only once.
- No changes on the physical switch are required.
This method also has disadvantages:
- The virtual switch does not take into account the traffic load on the uplinks. The virtual switch does not load balance the traffic to uplinks that are used less.
- The bandwidth that is available to a VM is limited to the speed of the uplink that is associated with the relevant port ID, unless the VM has more than one virtual NIC.
Describe the load balancing method Route based Source MAC hash
A virtual machine’s outbound traffic, when load balanced using the source MAC hash method, is mapped to a specific physical NIC based on the virtual NIC’s MAC address
This method has advantages:
- VMs use the same uplink because the MAC address is static. Powering a VM on or off does not change the uplink that the VM uses.
- No changes on the physical switch are required.
This method has disadvantages:
- The bandwidth that is available to a VM is limited to the speed of the uplink that is associated with the relevant port ID, unless the VM uses multiple source MAC addresses.
- Algorithm overhead is higher than with a route based on the originating virtual port because the virtual switch calculates an uplink for every packet.
- The virtual switch is not aware of the load of the uplinks, so uplinks might become overloaded.