Section 2 - Configure and Administer Advanced vSphere
6.x Networking
vSphere Distributed
Switch must be at version 6.0 to
support vSphere Network I/O Control 3 (NIOC3)
Objective 2.1 -
Configure Advanced Policies/Features and Verify Network Virtualization
Implementation
vSphere Distributed Switch (vDS):
- requires Enterprise licensing from VMware
- allows for Private VLANs
- can traffic shape inbound traffic as well as outbound
(vSS is only outbound)
- supports port mirroring and Netflow
- LLDP is supported
- supports Link Aggregation Control Protocol (LACP)
- support for Network I/O Control (NIOC)
Listed Maximums for vDS:
4096 - Total virtual network ports per host
1016 - Maximum active ports per host
10’000 - Static/Dynamic port groups per distributed
switch
1016 - Ephemeral port groups per distributed switch
60’000 - ports per distributed switch
128 - Distributed switches per vCenter
16 - Distributed switches per host
64 - LACP LAGs per host
1’000 - Hosts per distributed switch
64 - NIOC resource pools per vDS
64 - Link aggregate groups per vDS
Note 1: vDS latest
version is 6.0.0. You can always upgrade to a later version but can never
downgrade.
Note 2: Removing
ESXi host from a vDS: All VMs and VMkernel ports associated with the host you
are removing must be removed from the vDS!
vDS dvPort group
‘Edit Settings’ sections that can be configured:
- General
- Advanced
- Security
- Traffic shaping
- VLAN
- Teaming and failover
-- Active uplinks, Standby uplinks, Unused uplinks
- Monitoring
- Traffic filtering and marking
- Miscellaneous
Note: Delete dvPort
group from vDS: If any ports are assigned on the dvPort group, you will not be
able to delete it.
Configure LACP on Uplink portgroups on vDS:
- The Link Aggregation Group (LAG) must have a minimum of
2 ports
- The number of physical uplinks in the LAG must match
the number of physical ports in the LACP port channel on the physical switch
- The hashing algorithm on the LAG must match the hashing
algorithm on the LACP port channel on the physical switch
Note: LAG modes are
Active or Passive.
Note: In order to
use PVLANs (Private VLANs) the upstream physical switch(s) must support PVLANs
as well.
Policy exceptions for distributed port groups are:
- Promiscuous Mode
- MAC Address Changes
- Forged Transmit
dvPort group blocking policies -> dropdown “Block all
ports” = YES - will STOP all VM traffic on the dvPort group!
“Teaming and
failover” options for Load Balancing:
- Route based on originating port ID
- Route based on IP hash*
- Route based on source MAC hash*
- Use explicit failover (1st uplink listed
under “Active uplinks”)
- Route based on physical NIC load
*The physical
uplinks must be in a port channel on the physical switch.
Notify switches
policy:
- YES (to notify upstream physical switches to update its
lookup tables)
- NO (use case: running Microsoft NLB in unicast mode)
Failback policy:
- YES (failback when failed physical adapter comes back
online)
- NO
Failover order:
- Active uplinks
- Standby uplinks
- Unused uplinks
dvPort Configure
VLAN/PVLAN settings - VLAN type:
- None
- VLAN
- VLAN Trunking
- Private VLAN
Traffic shaping
policies:
- Traffic shaping is configured per dvPort group and not
at the distributed switch level
- Traffic shaping can be applied both ingress and egress
(vSS is egress only)
- 4 settings for Ingress/Egress:
-- Status: Enabled or Disabled
-- Average
Bandwidth (defined in Kbits/sec)
-- Peak Bandwidth
(defined in Kbits/sec)
-- Burst Size
(defined in Kbytes/sec)
TCP Segmentation
Offload (TSO) support for a VM:
- TSO is supported for VMkernel adapters and virtual
machines
- TSO is enabled by default for VMXNET2 and VMXNET3
network adapters
- TSO needs to be enabled in Linux/Windows virtual
machine
-- Linux: ethtool
-K ethY tso on
-- Windows: Enable Large
Send Offload V2 and restart VM
Jumbo Frames MTU is 9000.
9000 - is the
max MTU size (in bytes) that an administrator can set on a virtual switch
9000 - is the
maximum supported Maximum Transmission Unit (MTU) value on a vSphere Distributed
Switch.
VLAN tagging options:
- Virtual Switch Tagging (VST)
- External Switch Tagging (EST)
- Virtual Guest Tagging (VGT)
Two VLAN Policies
available in vSphere 6.x Distributed Port Groups...
... VLAN
... Private VLAN
Objective 2.2 -
Configure Network I/O Control (NIOC)
Network I/O
Control requirements:
- NIOC v2 gives the ability to reserve network resources
for a VM on the physical adapter
- NIOC v3 gives the ability to reserve network resources
for a VM across the switch
- NIOC v3 includes resource management for system traffic
(such as FT)
- NIOC v3 can only run on vDS version 6.0 with ESXi
version 6.0
- SR-IOV isn’t available on VMs using NIOC v3
- NIOC requires Enterprise+ licensing
Network I/O
Control capabilities:
- Can do IEEE 802.1p tagging on outbound packets
- Utilizes load-based teaming uplinks on a particular vDS
- Can do traffic isolation
- Can enforce traffic bandwidth limits across uplinks on
the vDS
- Can do network partitioning using a Shares mechanism
- Separates traffic into network resource pools.
Pre-defined NIOC
network resource pools:
- iSCSI, NFS, Virtual
machine traffic, vMotion, vSphere Replication, FT Logging, Management traffic
Monitor NIOC:
vSphere Web client -> Networking -> Resource Allocation
-> System
traffic (bandwidth) <or> Network resource pools (quota)
Objective 2.3 -
Configure vSS and vDS Policies
Common Policies
that exist within vSS and vDS:
- Security: Policy exceptions: Promiscous Mode, MAC Address Changes,
Forged Transmits...
- Traffic Shaping (vSS outbound only, vDS
inbound and outbound): Policy exceptions: Average
Bandwidth (Kbits/sec), Peak Bandwidth (Kbits/sec), Burst Size (kbytes/sec)...
- Teaming and Failover: Policies: Load Balancing, Network Failure Detection,
Notify Switches, Failover and Failback...
Policies that apply
to the vDS only: NIOC, Port Mirroring, Net Flow, Private VLANs...
Note: Most of these
policies live on the dvPort groups themselves.
Comments
Post a Comment