Configuring vSphere Networking Flashcards
List the different virtual switch connection types
VM ports
VMkernel ports - IP storage, vSphere vMotion migration, vSphere Fault Tolerance (FA), vSAN, vSphere Replication and the ESXi management network
Uplink ports
VM ports and VMkernel ports exist in port groups
What are the two types of switches available in vCenter?
standard and distributed
standard switch: virtual switch that is configured for a single host
distributed switch: virtual switch that is configured for an entire data center; up to 2,000 hosts can be attached to the same distributed switch; the configuration is consistent across all attached hosts; hosts must either have an Enterprise Plus License or belong to a vSAN cluster
What are the benefits of using VLANs in regards to virtual switching?
VLANs provide for logical groupings of switch ports. All virtual machines or ports in a VLAN communicate as if they are on the same physical LAN segment. A VLAN is a software configured broadcast domain. Using a VLAN provides the following benefits:
- creating of logical networks that are not based on the physical topology
- improved performance by confining broadcast traffic to a subset of ports on a switch
- cost savings by partitioning the network without the overhead of deploying new routers
How do you view an ESXi host’s virtual standard switch?
In the vSphere Client, selecting the host and under Networking, select Virtual switches and then select Configure
What services can be enabled on a VMkernel port? Describe each of them.
vMotion: allows the VMkernel adapter to advertise itself to another host as the network connection where vSphere vMotion traffic is sent.
Provisioning: handles the data transferred for virtual machine cold migration, cloning, and snapshot migration
Fault Tolerance logging: activates Fault Tolerance logging on the host
Management: activates the management traffic for the host and vCenter
vSphere Replication: handles the outgoing replication data that is sent from the source ESXi host to the vSphere Replication server
vSphere Replication NFC: handles the incoming replication data on the target replication site
vSAN: activates the vSAN traffic on the host
vSphere Backup NFC: VMkernel port setting for dedicated backup NFC traffic
NVMe over TCP: VMkernel port setting for dedicated NVMe over TCP storage traffic. NVMe over TCP storage traffic goes through the VMkernel Adapter when NVMe over TCP adapter is enabled
NVMe over RDMA: VMkernel port setting for dedicated NVMe over RDMA storage traffic. NVMe over RDMA storage traffic goes through the VMkernel Adapter when NVMe over RDMA adapter is enabled
Where do you set default networking policies for standard and distributed switches?
On a standard vCenter switch the default networking policy is set at the switch level. You may override the default policy by setting policies at the port group level
On a distributed vCenter switch the default networking policy is set at the distributed port group level. You may override the default policy by setting policies at the individual port level.
What does the networking security policy provide protection against?
MAC spoofing or MAC address impersonation and unwanted port scanning
When would a traffic shaping policy be useful?
when you want to limit the amount of traffic to a VM or a group of VMs
What security policy options are available when editing settings in a virtual network?
Promiscuous mode - Promiscuous mode allows a virtual switch or port group to forward all traffic, regardless of their destinations. The default is Reject.
MAC address changes - If this option is set to Reject and the guest attempts to change the MAC address assigned to the virtual NIC, it stops receiving frames. The default is Reject. Keep the default setting to help protect against attacks launched by a rogue guest operating system.
Forged transmits - A frame’s source address field may become altered by the guest and contain a MAC address other than the assigned virtual NIC MAC address. You can set the Forged Transmits parameter to accept or reject such frames. The default is Reject. Keep
the default setting to help protect against attacks launched by a rogue guest operating system.
What are some examples of scenarios in which you would want to change the default security policy of Reject to Accept?
Set Promiscuous mode to Accept to use an application in a VM that analyzes or sniffs
packets, such as a network-based intrusion detection system.
Set MAC address changes and Forged transmits to Accept if your applications change the mapped MAC address, as do some guest operating system-based firewalls.
What is network traffic shaping?
is a mechanism for limiting a virtual machine’s consumption of
available network bandwidth.
Average rate, peak rate, and burst size are configurable
Network traffic shaping is deactivated by default
What are the available load balancing options for NIC teaming?
Route based on IP hash
Route based on source MAC hash
Route based on originating virtual port
Use explicit failover order
Describe NIC teaming.
NIC teaming increases the network bandwidth of the switch and provides redundancy; With NIC teaming, you can increase the network capacity of a port group by including two or
more physical NICs in a team
physical NICs = uplink ports
Describe the load balancing method Originating Virtual Port ID
With the load balancing method that is based on the originating virtual port ID, a virtual machine’s outbound traffic is mapped to a specific physical NIC
This method has advantages:
- Traffic is evenly distributed if the number of virtual NICs is greater than the number of physical NICs in the team.
- Algorithm overhead is low because, in most cases, the virtual switch calculates uplinks for the VM only once.
- No changes on the physical switch are required.
This method also has disadvantages:
- The virtual switch does not take into account the traffic load on the uplinks. The virtual switch does not load balance the traffic to uplinks that are used less.
- The bandwidth that is available to a VM is limited to the speed of the uplink that is associated with the relevant port ID, unless the VM has more than one virtual NIC.
Describe the load balancing method Route based Source MAC hash
A virtual machine’s outbound traffic, when load balanced using the source MAC hash method, is mapped to a specific physical NIC based on the virtual NIC’s MAC address
This method has advantages:
- VMs use the same uplink because the MAC address is static. Powering a VM on or off does not change the uplink that the VM uses.
- No changes on the physical switch are required.
This method has disadvantages:
- The bandwidth that is available to a VM is limited to the speed of the uplink that is associated with the relevant port ID, unless the VM uses multiple source MAC addresses.
- Algorithm overhead is higher than with a route based on the originating virtual port because the virtual switch calculates an uplink for every packet.
- The virtual switch is not aware of the load of the uplinks, so uplinks might become overloaded.
Describe the load balancing method route based on Source & Destination IP hash
With the IP-based load balancing method, a NIC for each outbound packet is selected based on its source and destination IP addresses
The IP-based method requires 802.3ad link aggregation support or an EtherChannel on the switch. The Link Aggregation Control Protocol (LACP) is a method to control the bundling of several physical ports to form a single logical channel. LACP is part of the IEEE 802.3ad specification
The IP-based load balancing method only affects outbound traffic. For example, a VM might select a particular NIC to communicate with a particular destination VM. The return traffic might not be handled on the same NIC as the outbound traffic, but by another NIC in the
same NIC team
This method has advantages:
- The load is more evenly distributed compared to the route based on the originating virtual port and the route based on source MAC hash because the virtual switch calculates the uplink for every packet.
- VMs that communicate with multiple IP addresses have a potentially higher throughput.
This method has disadvantages:
- Algorithm overhead is the highest compared to the other load balancing algorithms.
- The virtual switch is not aware of the actual load of the uplinks.
- Changes on the physical network are required.
- The method is complex to troubleshoot.
How does vCenter detect network failures?
Network failures are monitored and detected by the VMkernel. The VMkernel monitors the link state and performs beacon probing (if selected) on one second intervals to ensure network uptime
Describe Beacon Probing.
Beacon probing is a network failover detection method used in vSphere to monitor the health of network links. Unlike link status detection, which relies on the physical link status to determine network availability, beacon probing actively tests the network by sending out beacon packets from each NIC in a team to verify that the network is functioning correctly. Beacon probing introduces a 62-byte packet load approximately every 1 second per physical NIC. When beacon probing is activated, the VMkernel sends out and listens for probe packets on all NICs that are configured as part of the team. This technique can detect failures that link-status monitoring alone cannot. A specific network topology is required for beacon probing to work.
Describe the Failback option in the NIC Teaming and Failover settings page.
The failback option determines how a physical adapter is returned to active duty after recovering from a failure:
- If Failback is set to Yes, the failed adapter is returned to active duty immediately on recovery, displacing the standby adapter that took its place at the time of failure.
- If Failback is set to No, a failed adapter is left inactive even after recovery, until another currently active adapter fails, requiring its replacement.
True or False: The load balancing method called Originating Virtual Port ID is only available on distributed switches
False
The load balancing method based on physical NIC load is the only method supported on distributed switches.
The load balancing method that is only available on distributed switches is the Route based on physical NIC load option. This method ensures that physical NIC capacity in a NIC team is optimized.
What are some benefits of vSphere Distributed switches compared to vSphere standard switches?
- Distributed switches centralize the virtual network administration, and simplifies the data center administration.
- Distributed switch ports are statically assigned by vCenter and offer more granular control over network statistics and policies.
Standard switches are configured at the host level. Distributed switches are configured at the data center level, which gives distributed switches the following advantages:
- Data center setup and administration are simplified through this centralized network configuration. For example, adding a host to a cluster and making it compatible with vSphere vMotion is much easier than with a standard switch.
- Distributed ports migrate with their VMs. For example, when you migrate a VM with vSphere vMotion, the distributed port statistics and policies move with the VM, which simplifies debugging and troubleshooting.
What are the 2 components of vSphere Distributed switch architecture?
control plane and I/O plane
The control plane resides in vCenter. The control plane configures distributed switches, distributed port groups, distributed ports, uplinks, NIC teaming, and so on. The control plane also coordinates the migration of the ports and is responsible for the switch configuration
The I/O plane is implemented as a hidden virtual switch in the VMkernel of each ESXi host. The I/O plane manages the I/O hardware on the host and is responsible for forwarding packets. vCenter oversees the creation of these hidden virtual switches
What are the 3 modes of CDP and LLDP?
- Listen (default): The ESXi host detects and displays information about the associated physical switch port, but information about the virtual switch is not available to the physical switch administrator.
- Advertise: The ESXi host provides information about the virtual switch to the physical switch administrator but does not detect and display information about the physical switch.
- Both: The ESXi host detects and displays information about the associated physical switch and provides information about the virtual switch to the physical switch administrator.
What is Port Binding and what are the options available?
Port binding determines when and how a VM virtual NIC is assigned to a virtual switch port. Port binding is configured at the distributed port group level, and binding options include:
- Static binding (default): vCenter assigns a permanent port for the VM or VMkernel interface.
- Ephemeral: ESXi (not vCenter) assigns the port to the VM. The assigned port changes when the VM reboots.
