Configuring vSphere Networking

Question 1

List the different virtual switch connection types

Answer 1

VM ports

VMkernel ports - IP storage, vSphere vMotion migration, vSphere Fault Tolerance (FA), vSAN, vSphere Replication and the ESXi management network

Uplink ports

VM ports and VMkernel ports exist in port groups

Question 2

What are the two types of switches available in vCenter?

Answer 2

standard and distributed

standard switch: virtual switch that is configured for a single host

distributed switch: virtual switch that is configured for an entire data center; up to 2,000 hosts can be attached to the same distributed switch; the configuration is consistent across all attached hosts; hosts must either have an Enterprise Plus License or belong to a vSAN cluster

Question 3

What are the benefits of using VLANs in regards to virtual switching?

Answer 3

VLANs provide for logical groupings of switch ports. All virtual machines or ports in a VLAN communicate as if they are on the same physical LAN segment. A VLAN is a software configured broadcast domain. Using a VLAN provides the following benefits:
- creating of logical networks that are not based on the physical topology
- improved performance by confining broadcast traffic to a subset of ports on a switch
- cost savings by partitioning the network without the overhead of deploying new routers

Question 4

How do you view an ESXi host’s virtual standard switch?

Answer 4

In the vSphere Client, selecting the host and under Networking, select Virtual switches and then select Configure

Question 5

What services can be enabled on a VMkernel port? Describe each of them.

Answer 5

vMotion: allows the VMkernel adapter to advertise itself to another host as the network connection where vSphere vMotion traffic is sent.

Provisioning: handles the data transferred for virtual machine cold migration, cloning, and snapshot migration

Fault Tolerance logging: activates Fault Tolerance logging on the host

Management: activates the management traffic for the host and vCenter

vSphere Replication: handles the outgoing replication data that is sent from the source ESXi host to the vSphere Replication server

vSphere Replication NFC: handles the incoming replication data on the target replication site

vSAN: activates the vSAN traffic on the host

vSphere Backup NFC: VMkernel port setting for dedicated backup NFC traffic

NVMe over TCP: VMkernel port setting for dedicated NVMe over TCP storage traffic. NVMe over TCP storage traffic goes through the VMkernel Adapter when NVMe over TCP adapter is enabled

NVMe over RDMA: VMkernel port setting for dedicated NVMe over RDMA storage traffic. NVMe over RDMA storage traffic goes through the VMkernel Adapter when NVMe over RDMA adapter is enabled

Question 6

Where do you set default networking policies for standard and distributed switches?

Answer 6

On a standard vCenter switch the default networking policy is set at the switch level. You may override the default policy by setting policies at the port group level

On a distributed vCenter switch the default networking policy is set at the distributed port group level. You may override the default policy by setting policies at the individual port level.

Question 7

What does the networking security policy provide protection against?

Answer 7

MAC spoofing or MAC address impersonation and unwanted port scanning

Question 8

When would a traffic shaping policy be useful?

Answer 8

when you want to limit the amount of traffic to a VM or a group of VMs

Question 9

What security policy options are available when editing settings in a virtual network?

Answer 9

Promiscuous mode - Promiscuous mode allows a virtual switch or port group to forward all traffic, regardless of their destinations. The default is Reject.

MAC address changes - If this option is set to Reject and the guest attempts to change the MAC address assigned to the virtual NIC, it stops receiving frames. The default is Reject. Keep the default setting to help protect against attacks launched by a rogue guest operating system.

Forged transmits - A frame’s source address field may become altered by the guest and contain a MAC address other than the assigned virtual NIC MAC address. You can set the Forged Transmits parameter to accept or reject such frames. The default is Reject. Keep
the default setting to help protect against attacks launched by a rogue guest operating system.

Question 10

What are some examples of scenarios in which you would want to change the default security policy of Reject to Accept?

Answer 10

Set Promiscuous mode to Accept to use an application in a VM that analyzes or sniffs
packets, such as a network-based intrusion detection system.

Set MAC address changes and Forged transmits to Accept if your applications change the mapped MAC address, as do some guest operating system-based firewalls.

Question 11

What is network traffic shaping?

Answer 11

is a mechanism for limiting a virtual machine’s consumption of
available network bandwidth.

Average rate, peak rate, and burst size are configurable

Network traffic shaping is deactivated by default

Question 12

What are the available load balancing options for NIC teaming?

Answer 12

Route based on IP hash

Route based on source MAC hash

Route based on originating virtual port

Use explicit failover order

Question 13

Describe NIC teaming.

Answer 13

NIC teaming increases the network bandwidth of the switch and provides redundancy; With NIC teaming, you can increase the network capacity of a port group by including two or
more physical NICs in a team

physical NICs = uplink ports

Question 14

Describe the load balancing method Originating Virtual Port ID

Answer 14

With the load balancing method that is based on the originating virtual port ID, a virtual machine’s outbound traffic is mapped to a specific physical NIC

This method has advantages:
- Traffic is evenly distributed if the number of virtual NICs is greater than the number of physical NICs in the team.
- Algorithm overhead is low because, in most cases, the virtual switch calculates uplinks for the VM only once.
- No changes on the physical switch are required.

This method also has disadvantages:
- The virtual switch does not take into account the traffic load on the uplinks. The virtual switch does not load balance the traffic to uplinks that are used less.
- The bandwidth that is available to a VM is limited to the speed of the uplink that is associated with the relevant port ID, unless the VM has more than one virtual NIC.

Question 15

Describe the load balancing method Route based Source MAC hash

Answer 15

A virtual machine’s outbound traffic, when load balanced using the source MAC hash method, is mapped to a specific physical NIC based on the virtual NIC’s MAC address

This method has advantages:
- VMs use the same uplink because the MAC address is static. Powering a VM on or off does not change the uplink that the VM uses.
- No changes on the physical switch are required.

This method has disadvantages:
- The bandwidth that is available to a VM is limited to the speed of the uplink that is associated with the relevant port ID, unless the VM uses multiple source MAC addresses.
- Algorithm overhead is higher than with a route based on the originating virtual port because the virtual switch calculates an uplink for every packet.
- The virtual switch is not aware of the load of the uplinks, so uplinks might become overloaded.

Question 16

Describe the load balancing method route based on Source & Destination IP hash

Answer 16

With the IP-based load balancing method, a NIC for each outbound packet is selected based on its source and destination IP addresses

The IP-based method requires 802.3ad link aggregation support or an EtherChannel on the switch. The Link Aggregation Control Protocol (LACP) is a method to control the bundling of several physical ports to form a single logical channel. LACP is part of the IEEE 802.3ad specification

The IP-based load balancing method only affects outbound traffic. For example, a VM might select a particular NIC to communicate with a particular destination VM. The return traffic might not be handled on the same NIC as the outbound traffic, but by another NIC in the
same NIC team

This method has advantages:
- The load is more evenly distributed compared to the route based on the originating virtual port and the route based on source MAC hash because the virtual switch calculates the uplink for every packet.
- VMs that communicate with multiple IP addresses have a potentially higher throughput.

This method has disadvantages:
- Algorithm overhead is the highest compared to the other load balancing algorithms.
- The virtual switch is not aware of the actual load of the uplinks.
- Changes on the physical network are required.
- The method is complex to troubleshoot.

Question 17

How does vCenter detect network failures?

Answer 17

Network failures are monitored and detected by the VMkernel. The VMkernel monitors the link state and performs beacon probing (if selected) on one second intervals to ensure network uptime

Question 18

Describe Beacon Probing.

Answer 18

Beacon probing is a network failover detection method used in vSphere to monitor the health of network links. Unlike link status detection, which relies on the physical link status to determine network availability, beacon probing actively tests the network by sending out beacon packets from each NIC in a team to verify that the network is functioning correctly. Beacon probing introduces a 62-byte packet load approximately every 1 second per physical NIC. When beacon probing is activated, the VMkernel sends out and listens for probe packets on all NICs that are configured as part of the team. This technique can detect failures that link-status monitoring alone cannot. A specific network topology is required for beacon probing to work.

Question 19

Describe the Failback option in the NIC Teaming and Failover settings page.

Answer 19

The failback option determines how a physical adapter is returned to active duty after recovering from a failure:
- If Failback is set to Yes, the failed adapter is returned to active duty immediately on recovery, displacing the standby adapter that took its place at the time of failure.
- If Failback is set to No, a failed adapter is left inactive even after recovery, until another currently active adapter fails, requiring its replacement.

Question 20

True or False: The load balancing method called Originating Virtual Port ID is only available on distributed switches

Answer 20

False

The load balancing method based on physical NIC load is the only method supported on distributed switches.

The load balancing method that is only available on distributed switches is the Route based on physical NIC load option. This method ensures that physical NIC capacity in a NIC team is optimized.

Question 21

What are some benefits of vSphere Distributed switches compared to vSphere standard switches?

Answer 21

• Distributed switches centralize the virtual network administration, and simplifies the data center administration.
• Distributed switch ports are statically assigned by vCenter and offer more granular control over network statistics and policies.

Standard switches are configured at the host level. Distributed switches are configured at the data center level, which gives distributed switches the following advantages:
- Data center setup and administration are simplified through this centralized network configuration. For example, adding a host to a cluster and making it compatible with vSphere vMotion is much easier than with a standard switch.
- Distributed ports migrate with their VMs. For example, when you migrate a VM with vSphere vMotion, the distributed port statistics and policies move with the VM, which simplifies debugging and troubleshooting.

Question 22

What are the 2 components of vSphere Distributed switch architecture?

Answer 22

control plane and I/O plane

The control plane resides in vCenter. The control plane configures distributed switches, distributed port groups, distributed ports, uplinks, NIC teaming, and so on. The control plane also coordinates the migration of the ports and is responsible for the switch configuration

The I/O plane is implemented as a hidden virtual switch in the VMkernel of each ESXi host. The I/O plane manages the I/O hardware on the host and is responsible for forwarding packets. vCenter oversees the creation of these hidden virtual switches

Question 23

What are the 3 modes of CDP and LLDP?

Answer 23

• Listen (default): The ESXi host detects and displays information about the associated physical switch port, but information about the virtual switch is not available to the physical switch administrator.
• Advertise: The ESXi host provides information about the virtual switch to the physical switch administrator but does not detect and display information about the physical switch.
• Both: The ESXi host detects and displays information about the associated physical switch and provides information about the virtual switch to the physical switch administrator.

Question 24

What is Port Binding and what are the options available?

Answer 24

Port binding determines when and how a VM virtual NIC is assigned to a virtual switch port. Port binding is configured at the distributed port group level, and binding options include:

• Static binding (default): vCenter assigns a permanent port for the VM or VMkernel interface.
• Ephemeral: ESXi (not vCenter) assigns the port to the VM. The assigned port changes when the VM reboots.

Question 25

Define the Port allocation options for static binding.

Answer 25

Elastic (default): When all ports are assigned, a new set of eight ports is created.

Fixed: No additional ports are created when all ports are assigned

Question 26

What is the only load balancing method supported by vSphere Distributed switches?

Answer 26

Route based on Physical NIC load

Load balancing based on physical NIC load ensures that physical NIC capacity in a NIC team is optimized

The distributed switch calculates uplinks for VMs by checking the VM port ID and the number of uplinks in the NIC team. The distributed switch tests the uplinks every 30 seconds. If the load of an uplink exceeds 75 percent of usage, the port ID of the VM with the highest I/O is moved to a different uplink.