Configuring vSS and vDS Features.

Question 1

Common vSS Policies.

Answer 1

There are three main policies for vSSs:

1. Security
2. Traffic shaping
3. Teaming and Failover

Each policy can be set at the switch level and be overridden at the port group level if necessary.

Question 2

Common vDS Policies.

Answer 2

Policies that can be set at the port group level on a vDS and be overridden at the port level include:

1. Security
2. Traffic Shaping
3. VLAN
4. Teaming and Failover
5. Resource Allocation
6. Monitoring
7. Miscellaneous (port blocking)
8. Advanced (override settings).

Two-step process:
First, you configure the port group to allow changes to a particular setting at port level,
and then you locate the port that you want to configure.

Question 3

Configuring dvPort Group Blocking Policies.

Answer 3

This isn’t your everyday setting. It’s more of a “one-off” scenario setting that can come in handy if you know how to use it. Suppose that you want to isolate all machines on a port group from the network for a period of time while you make a software change. After the change, you want to connect them all again.

Question 4

Configuring Load Balancing and Failover Policies.

Answer 4

If you assign more than one vmnic (physical NIC) to a switch or port group, you can configure load balancing and failover policies using the vmnics that you assign. This is the concept of NIC teaming, which you should clearly understand is not using more than one vNIC on a VM, but instead using more than one vmnic on a switch or port group.

On a port group of a vSS or a vDS, you will find a list of policy exceptions, as shown on a vSS for Teaming and Failover in Figure 6-9. They are called exceptions because they each have a default setting, but that setting can be changed if necessary. Each of these settings and the options that you have are discussed next.

Question 5

Configuring Load Balancing and Failover Policies: Load Balancing.

Answer 5

There are five load balancing options from which you can choose:
1. Route based on the originating virtual port ID: The physical NIC is determined by the ID of the virtual port to which the VM is connected. This option has the lowest overhead and is the default option for vSSs and port groups on vSSs.

2. Route based on source MAC hash: All of VM’s outbound traffic is mapped to a specific physical NIC that is based on the MAC address associated with the VM’s virtual network interface card (vNIC). This method has relatively low overhead and is compatible with all switches[md]even those that do not support the 802.3ad protocol.
3. Route based on IP hash: The physical NIC for each outbound packet is chosen based on a hash of the source and destination addresses contained in the packet. This method has the disadvantage of using more CPU resources; however, it can provide better distribution of traffic across the physical NICs. This method also requires the 802.3ad link aggregation support or EtherChannel on the switch.
4. Route based on physical NIC load: The virtual switch checks the actual load of the physical uplinks and takes steps to reduce overloaded uplinks by redirecting traffic to the other available uplinks. Only available on the vDS.
5. Use explicit failover order: The switch will always choose from its list of active adapters the highest order uplink that is not currently in use.

Question 6

Configuring Load Balancing and Failover Policies: Failover Policies.

Answer 6

1. Link Status Only: This option relies solely on the link status that the network adapter provides. In other words, “Do I feel electricity?” or with fiber, “Do I see a light?” This option detects cable pulls and physical switch failures, but it does not detect configuration errors that are beyond the directly connected switch. This method has no overhead and is the default.
2. Beacon Probing: This option listens for link status but also sends out beacon packets from each physical NIC that it expects to be received on the other physical NIC. In this way, physical issues can be detected as well as configuration errors, such as improper settings on Spanning Tree Protocol (STP) or VLANs. Also, you should not use Beacon Probing with IP-hash load balancing because the way the beacon traffic is handled does not work well with this option and can cause a “network flapping” error.

Question 7

Notify Switches.

Answer 7

The following are your two simple options with regard to notifying switches:

1. Yes: If you select this option, the switch is notified whenever a VM’s traffic will be routed over a different physical NIC because of a failover event. In most cases, this is the setting that you want to configure because it offers the lowest latency for failover occurrence and for vMotion migrations.
2. No: If you select this option, the switch will not be notified and will not make the changes to its MAC address table. You should select this option only if you are using Microsoft Network Load Balancing (NLB) in unicast mode because selecting Yes prevents the proper function of Microsoft Network Load Balancing in unicast mode.

Question 8

Failback.

Answer 8

On each switch and/or port group, you can assign vmnics (physical NICs) as Active, Standby, or Unused, as shown in Figure 6-10.

If a vmnic is listed as Active, it will be used unless it fails. If a vmnic fails, the first vmnic in the Standby list is used. Now, what if the first vmnic should come back? Then should you go back to it immediately, or should you stay with the vmnic that is currently working fine?

The following are your two simple options for Failback settings:

Yes: If you select this option, a failed adapter that has recovered will be returned to Active status immediately after its recovery, thereby replacing the vmnic that is working fine. This might be an advantage if the primary adapter is somehow superior to the secondary one, such as a faster speed or other features. The disadvantage of this option is that a “flapping” connection could cause the system to play “ping pong” with itself, continually changing between adapters.

No: If you select this option and an adapter fails and then recovers, the adapter that took its place when it failed will continue to be used. This “if it ain’t broke, don’t fix it” approach avoids the “ping pong” of the other option but might leave the traffic on a slower or less desirable adapter.

Question 9

Configuring VLAN and PVLAN Settings.

Answer 9

vSphere fully supports IEEE 802.1Q tagging.

On vSS port groups, you can configure the VLAN setting on the General tab of the properties for the port group, as shown in Figure 6-12. You can do so by typing the VLAN number from your network in the box labeled VLAN ID (Optional). If you have VMs that need to receive packets from more than one subnet and provide their own tagging for more than one subnet, you should select All (4095).

On vDS port groups, you can configure the VLAN in a much more granular fashion. You might have noticed that the VLAN setting is one of the options under Policies. On this setting, you have three options from which to choose: VLAN, VLAN Trunking, and Private VLAN.

Question 10

Configuring VLAN Policy Settings on a vDS.

Answer 10

If you select VLAN, the screen changes, and you are presented with a simple box in which you can input a number, as shown in Figure 6-13. This number should be an actual VLAN number that you are using on your physical network and that you want to incorporate into your virtual network as well, on this port group. Your range of choices is from 1 to 4094.

Question 11

Configuring VLAN Trunking Policies on a VDS.

Answer 11

This option establishes the port group as a trunk that can carry multiple VLANs to VMs that are connected to it. However, rather than having to carry all 4094 VLANs just to have more than one, on vDSs, this setting can be pruned to carry only the VLANs or range of VLANs that you specify, as shown in Figure 6-14.

Question 12

Configuring Private VLAN Policy Settings on a vDS.

Answer 12

Allows you to use a VLAN that you have created on the vDS that can be used only by your vSphere environment and not by your external network.

You can create and use three types of private VLANs in your vSphere:

1. Promiscuous: This is named (numbered) by the primary VLAN that you chose from your physical network. It is the remaining piece that is not separated from the primary VLAN. VMs on this VLAN can be reached by any VM in the same primary VLAN.
2. Isolated: This is a private VLAN used to create a separate network for one VM in your virtual network that is not used at all in the physical world. It can be used to isolate a highly sensitive VM, for example. If a VM is in an isolated VLAN, it will not communicate with any other VMs in other isolated VLANs or in other community VLANs. It can communicate with promiscuous VLANs.
3. Community: This is a private VLAN used to create a separate network to be shared by more than one VM. This VLAN is also used only in your virtual network and not in your physical network. VMs on community VLANs can communicate only to other VMs on the same community or to VMs on a promiscuous VLAN.

Question 13

Configuring Traffic Shaping Policies.

Answer 13

When you decide to use traffic shaping, your goal should be to free up available bandwidth by limiting the bandwidth usage on port groups that contain VMs that can function with less bandwidth.

Question 14

Traffic Shaping Policies for vSphere Standard Switches.

Answer 14

On vSSs, all traffic shaping is for outbound traffic only. As with other policies, you can configure traffic shaping on a vSS at the switch level, and then you can override it at the port group level. After you enable traffic shaping, you can configure three main settings for outbound traffic on vSS switches and port groups:

1. Average bandwidth (kbit/s): This establishes the number of kilobits per second to allow across a port, averaged over time. It should be an amount based on that which you have observed or monitored in the past.
2. Peak bandwidth (kbit/s): This is the maximum
   aggregate traffic measured in kilobits per second that will be allowed for a port group or switch. It should be an amount that will not hamper the effective use of the VMs connected to the port group or switch.
3. Burst size (KB): This is the maximum number of bytes to be allowed in a burst. A burst is defined as exceeding the average bandwidth. This setting determines how long the bandwidth can exceed the average as a factor of how far it has exceeded the average. The higher it goes, the less time it can spend there. In other words, this setting is a factor of “bandwidth X time.”

Question 15

Traffic Shaping Policies for vSphere Distributed Switches.

Answer 15

The biggest difference from that of vSSs is that it can be configured for both inbound (ingress) and outbound (egress) traffic.

Question 16

Enabling TCP Segmentation Offload Support for a Virtual Machine.

Answer 16

TCP Segmentation Offload (TSO) enhances the networking performance of VMs by allowing the TCP stack to emit very large frames (up to 64 KB), even though the maximum transmission unit (MTU) of the interface is much smaller. The network adapter then separates the large frames into MTU-sized frames and prepends an adjusted copy of the original TCP/IP headers.

TSO is enabled by default for the VMkernel port but must be enabled on the VM.

Not just any vNIC can handle TSO. In fact, not just any OS can handle it, either. If you want to use TSO, you must install an enhanced enhanced vmxnet adapter. You can enable TSO support on the VMs that run the following guest OSs:

1. Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2 or later (32 bit and 64 bit)
2. Red Hat Enterprise Linux 4 (64 bit) or later
3. SUSE Linux Enterprise Server 10 or later (32 bit and 64 bit)

Question 17

Enabling Jumbo Frames Support on Appropriate Components.

Answer 17

Enabling jumbo frame support on your ESXi host and VMs allows them to send out much larger frames than normal into the network (9,000 bytes versus 1,518 bytes).
You can then enable jumbo frames for the VMkernel interfaces and for the VMs.
Of course, the actual steps to enable jumbo frame support for vSSs are different from those for vDSs.

Question 18

Enabling Jumbo Frames on a vDS.

Answer 18

You can enable jumbo frames for an entire vDS. Just as with the VMkernel port on the vSS, you must increase the MTU.

Question 19

Enabling Jumbo Frame Support on Virtual Machines.

Answer 19

After you have enabled jumbo frames on your physical network and your virtual switches, configuring the VMs to work with them is a matter of installing the proper vNIC on the VM and configuring the guest OS to use it. You might think that the best vNIC to use would be the vmxnet3. However, there is a known issue with the vmxnet3, so you should choose either the vmxnet2 (enhanced vmxnet) or the e1000 vnic, whichever is best for the OS on the VM.

Question 20

Determining Appropriate VLAN Configuration for a vSphere Implementation.

Answer 20

network. You can create and control multiple subnets using the same vmnic, or a group of subnets with a small group of vmnics, and provide for load balancing and fault tolerance as well.

Still, an even more defined way to separate the components of your network is by using a new vmnic for each one. This is referred to as physical separation. It is considered even more secure than VLANs because it avoids the VLAN hopping attack. It is a best practice to use a separate vmnic for each type of network that you create. For example, you should use a separate vmnic for VM port groups than you do for management VMkernel ports. Also, you should separate vmnics for each type of VMkernel port whenever possible. For example, it would be best to have a different vmnic for each of your VMkernel ports for vMotion, FT logging, iSCSI storage, NFS datastores, and management.

Figure 6-23.!!