VCP6vHerseyVITAVMware

VCP6-DCV Delta Study – Section 2 – Objective 2.3

This post covers Section 2, Configure and Administer Advanced vSphere Networking, Objective 2.3, Configure vSS and vDS Policies.

The vSphere Knowledge covered in this objective:

  • Identify common vSS and vDS policies
  • Describe vDS Security Polices/Settings
  • Configure dvPort group blocking policies
  • Configure load balancing and failover policies
  • Configure VLAN/PVLAN settings
  • Configure traffic shaping policies
  • Enable TCP Segmentation Offload support for a virtual machine
  • Enable Jumbo Frames support on appropriate components
  • Determine appropriate VLAN configuration for a vSphere implementation

Objective 2.3 VMware Resources and Tools include:

Much of the vSphere knowledge covered in this objective overlaps with Objective 2.1, Configure Advanced Policies/Features and Verify Network Virtualization Implementation.


– Identify common vSS and vDS policies

vSphere Standard Switches Overview

vSphere Distribute Switch Architecture

Virtual Standard Switch (vSS) Policies/Settings:

  • Security
  • Traffic Shaping (outbound traffic only)
  • Teaming and Failover
  • VLAN (None, VLAN ID, All) – Configured on PortGroup
  • MTU

Setting VLAN policy to All (4095) allows all VLANs are pass, tagging is done at the guest.

Virtual Distributed Switch (vDS) Policies/Settings:

  • Security
  • Traffic Shaping (inbound and outbound traffic)
  • VLAN (None, VLAN ID, VLAN trunking, PVLAN) – Configured on PortGroup
  • MTU
  • Teaming and failover
  • Monitoring (NetFlow)
  • Traffic filtering and marking
  • Miscellaneous (Port Blocking Policy)
  • LACP
  • Port mirroring
  • Health check (VLAN and MTU, Teaming and failover)

Setting the VLAN policy to VLAN trunking allows VLANs to be pruned by specifying VLANs to allow. VLAN tagging is done at the guest.

– Describe vDS Security Polices/Settings
The three network security policies on virtual distributed switches:

  • Promiscuous mode – vDS and vSS Default setting: Reject
    Setting this to Accept allows the guest operating system to receive all traffic observed on the connected vSwitch or PortGroup (think Hub instead of switch).
  • MAC address changes – vDS Default setting: Reject, vSS Default setting: Accept
    Host accepts requests to change the effective MAC
    address to a different address than the initial MAC address.
  • Forged transmits – vDS Default setting: Reject, vSS Default setting: Accept
    Host does not compare source and effective MAC addresses transmitted from a virtual machine.

Each of these can be set to Reject or Accept.

Network security policies can be set on the virtual switch or on the virtual port group.

By default MAC address changes and Forged transmits are set to Accept on virtual standard switches (vSS).

– Configure dvPort group blocking policies
Port Blocking Policies in the vSphere Networking Guide on page 128.

Port blocking policies are only available on virtual distributed switches (vDS).

Ports can be blocked to prohibit them from sending or receiving data.

Port blocking can be enabled on a port group to block all ports on the port group.
block-all-ports

Individual vDS or uplink ports can be blocked using the Web Client -> Networking -> vDS -> Manage -> Ports
Select the port and edit the settings of the port. From the Miscellaneous menu select the Override checkbox and set Block port to yes.
block-single-port

– Configure load balancing and failover policies
Load Balancing Algorithms Available for Virtual Switches in the vSphere Networking Guide on page 91.
vDS load balancing:

  • Route based on IP hash
    Use this when Cisco etherchannel is used on the physical switch.
  • Route based on source MAC hash
  • Route based on originating virtual port
  • Use explicit failover order
    Use adapters in the order they are configured.
  • Route based on physical NIC load (Only available on vDS)

Virtual switch failover order:

  • Active uplinks
    Used when network connectivity is up and active.
  • Standby uplinks
    Used when active adapter connectivity is down.
  • Unused uplinks
    Not used.

When using IP hash load balancing do not configure standby uplinks.

Failover order can be specified on the virtual switch or port group (Override Failover order on vSS).

During a failover, standby adapters activate in the order specified.

Failback – determines how/if a physical adapter is returned to active after a failure.

Notify switches – When a virtual NIC is connected to virtual switch or whenever that virtual NIC’s traffic would be routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches.

Network Failover Detection:

  • Link Status only
    Determines link availability based on if the adapter is physically up or down. Detects cable errors/pulls or physical switch failures, but not configuration issues.
  • Beacon Probing
    Sends out and listens for beacon probes on all NICs in the team and uses this information, in addition to link status, to
    determine link failure.

Do not use Beacon probing with IP hash load balancing.
Do not use Beacon probing on virtual switches with less than 3 uplinks.

ESXi sends beacon packets every second.
The NICs must be in an active/active or active/standby configuration because the NICs in an unused state do not participate in beacon probing.

– Configure VLAN/PVLAN settings
VLAN Policy in the vSphere Networking Guide on page 99.

VLAN type:

  • None
    No VLAN tagging. Physical switch ports configured as access ports or VLAN configured as native VLAN on trunk port.
  • VLAN
    VLANs are tagged on the virtual switch.
  • VLAN trunking
    VLANs are tagged at the guest.
  • Private VLAN

Private VLANs in the vSphere Networking Guide on page 130.
edit-pvlans
Types of PVLANs:

  • Promiscuous
    Communicates with other promiscuous ports in the same PVLAN and with Community and Isolated PVLANs.
  • Community
    Communicates with promiscuous ports and ports within the same Community.
  • Isolated
    Communicates only with promiscuous ports.

create-pvlans
PVLANs are only available on vDS.

– Configure traffic shaping policies
Traffic Shaping Policy in the vSphere Networking Guide on page 103.

vDS supports both ingress and egress traffic shaping
pg-traffic-shaping

Traffic shaping policy is applied to each port in the port group.

  • Average bandwidth in kbits (Kb) per second.
    Bits per second to allow across a port, averaged over time.
  • Peak bandwidth in kbits (Kb) per second.
    Maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic.
  • Burst size in kbytes (KB) per second.
    Maximum number of bytes to allow in a burst.

Traffic Filtering and Marking Policy in the vSphere Networking Guide on page 108.

Traffic filtering and marking is only available on vDS.

Traffic filtering and marking:

  • CoS tagging
  • DSCP tagging

Network traffic rule actions can be to Tag, Allow, or Drop.
network-traffic-rule

– Enable TCP Segmentation Offload support for a virtual machine
TCP Segmentation Offload in the vSphere Networking Guide on page 148.

TCP Segmentation Offload (TSO) improves the performance of ESXi hosts by reducing the overhead of the CPU for TCP/IP network operations. When TSO is enabled, the network adapter divides larger data chunks into TCP segments instead of the CPU.

To determine if TSO is supported on a physical network adapter use esxcli network nic tso get
esxcli-get-tso

Enable TSO on an ESXi host by setting the Advanced System Setting Net.UseHwTSO (for IPv4) and Net.UseHwTSO6 (for IPv6) to 1

To enable TSO on a Linux VM run ethtool -K ethX tso on (where X is the ethernet interface number)

TSO is enabled on a Window virtual machine by default when using VMXNET2 and VMXNET3 network adapters.

– Enable Jumbo Frames support on appropriate components
Jumbo Frames in the vSphere Networking Guide on page 146.

By default the MTU on vSS and vDS is set to 1500.

To enable Jumbo Frames set MTU to 9000. This needs to be set end to end for Jumbo Frames to work correctly.
9000 bytes is the maximum frame size that you can configure in vSphere.

mtu-vds

Jumbo Frames can be enabled on a vSwitch, vDS, and VMkernel Adapter.

Enabling Jumbo Frame support on a virtual machine requires using the enhanced VMXNET adapter.

– Determine appropriate VLAN configuration for a vSphere implementation
VLAN Configuration in the vSphere Networking Guide on page 129.

VLAN Tagging Modes:

  • EST – External Switch Tagging
    VLAN ID is set to None or 0. The physical switch preforms VLAN tagging.
  • VST – Virtual Switch Tagging
    VLAN set between 1 and 4094. The virtual switch performs VLAN tagging.
  • VGT – Virtual Guest Tagging.
    VLAN set to ALL (4095) on vSS or VLAN trunking on vDS. VLANs are tagged at the virtual guest.

More Section Objectives in the VCP6-DCV Delta Exam Study Guide Index

I hope you found this helpful. Feel free to add anything associated with this section using the comments below. Happy studying.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 11 =