Uncovering Virtual Networking Part-3: Policy inheritance


Here is another instalment in this series. In my last post Part2: Virtual Switches, we discussed about switch types in vSphere. Now with this post we are entering into switch configurations and policies. Before I talk about these settings and policies in detail individually in later posts, in this post, first of all we will explore and discuss switch properties, Portgroup properties, parent child relationships and so on. This is necessary as before discussing setting up policies and settings. We need to understand how to access these policies options and where to configure them?

Though we already discussed, switches in previous post, let’s recap components in virtual switches (vSS/vDS) quickly again.

So we have Port groups, VMKernel ports and uplink port. That is all. Nothing complicated. By now we know from previous posts, what are these component and what they are used for.

Just FYI, in Standard switch we use term portgroup and in DVS we simply refer them as dv-portgroup. This does not change the concept what port groups are. They may differ in feature set that is due to the fact that they belong to their respective switch type.

Let us see quickly how to access switch properties and portgroup properties. Why?

We need to understand parent child relationship in virtual switches. Since all the policies are configured with this relationship taken into account. We cannot simply enable policies on switches only or just portgroup.

Accessing standard Switch Properties

  • Since standard switch management is per ESXi, navigate to ESXi host, Click Configure, and Select Virtual switches under Networking and then click EDIT as shown below.

Accessing portgroup properties on standard switch.

  • Click on three dots in <portgroup name> box in this case VM Network on switch topology diagram, click Edit settings as shown below.

We will discuss standard switch and portgroup properties shortly. As of now let’s keep it to accessing properties.

Accessing DVS and it’s portgroup properties.

  • Since DVS is managed by vCenter server, we need to access it through vCenter inventory not from ESXi host. To access DVS, navigate to networking view from Menu options as shown below.
  • Once on the page, click name of DVS under datacenter in inventory pane on right hand side (Screen right side not your 🙂 ).
  • To Access DVS Properties, click configure and navigate to Configure tab, click Properties and click EDIT as shown below.

DVS portgroup properties

  • Expand DVS in inventory pane on right hand side of screen and click dv-portgroup name.
  • Navigate to configure tab and click Edit as shown below.

That’s how we access switch properties and portgroup properties for standard switch and DVS.

So what do we get to set once accessed the properties?

NOTE

Here we will be looking at the options we get in brief details. We will not dive into them in-depth in this post. I will discuss these settings in-depth in respective posts separately.

Standard Switch (vSS)

Let’s look at properties of a standard Switch.

  • As you can see, we have MTU settings available on main screen with selection on properties. You can change MTU here, for example to set jumbo frames, set MTU to 9000.
  • If we select Security, we get three policy settings as Promiscuous mode, MAC address Changes, and Forged transmits. By default for each of these settings are as in image below.
  • Under Traffic Shaping, you can set Egress traffic shaping options like Burst size, Peak bandwidth, and average bandwidth. By default traffic shaping options are not enabled.

I missed screenshot here, don’t worry you’ll see at portgroup level.

  • Under Teaming and Failover, you can set load balancing policies, failure detection, Notify switches, and automatic Failback settings. Also you can specify the failover order.
  • Below are the default settings for a standard switch for teaming and failover.

Load balancing

  • Route based on originating virtual port
  • Route based on IP hash
  • Route based on source MAC hash
  • Use explicit failover order

We will discuss these policies in another post. Now let’s see what we get in portgroup properties.

vSS portgroup properties

  • As you can notice, options look similar to that on switch level with some exceptions. Under properties, we get Label (name) of portgroup and VLAN option for this portgroup which is different compared to switch level settings.
  • Under Security settings, Options are same with override checkmark in front of each setting as by default it is inheriting from parent.
  • Under Traffic Shaping, again options are similar to switch level with added override setting check mark.
  • Under Teaming and Failover, again options are similar compared to switch level with override checkmark setting.

Great, these are the options under standard switches and their port groups. As you can notice, there is parent Child relationship between them as port groups are inheriting the settings of virtual standard switch with port groups allowing to override the parent settings.

Now let’s look at DVS and dv-portgroups settings.

Distributed Switches

All the policies and settings that we saw in standard switch are available in DVS. But there is a caveat here. Let’s see what it is.

  • Accessing DVS properties, gives you the options to modify Switch Identity, number of uplinks, NIOC, and switch description under general setting.
  • Uplink as we know, no of physical cards of ESXi to be used for the switch.
  • While setting number of uplinks, remember that whatever number you specify here is applicable on all ESXi hosts that are connected to DVS.
  • So as per number below i.e 4, at least 4 minimum number of physical cards needs to be there on all ESXi or else we will have issues.
  • Below are the default settings on DVS under general.
  • Under Advanced settings, we can modify MTU, Multicast filtering mode, Discovery protocol and its mode. You can also define administrative contact details for the switch.
  • Below are the default settings under DVS advanced.

Multicast filtering modes

There are two modes in multicast filtering as follows.

  • Basic.

The distributed switch forwards traffic that is related to a multicast group based on a MAC address generated from the last 23 bits of the IPv4 address of the group.

  • IGMP/MLD snooping.

The distributed switch forwards multicast traffic to VMs according to IPv4 and IPv6 addresses of subscribed multicast groups by using membership messages defined by the IGMP and Multicast Listener Discovery protocol.

Discovery Protocols

  • There are protocols supported CDP and LLDP. Cisco Discovery Protocol is generally used for Cisco devices and Link Layer Discovery Protocol is used as open platform protocol.
  • There are three modes available for these protocols as Listen, Advertise, or Both.

If you compare these settings to standard switch, it may appear that DVS does not have much settings available at switch level.

Now you may also be curious, what happened to all those policies since I also mentioned that DVS has all policies of standard switch.

Let’s explore more to understand how.

DVS portgroup

On the dv-portgroup properties page, we see similar names that we saw earlier in standard switches. But we can see bunch of new options as well.

  • Under general, you can specify portgroup name, port binding method, port allocation, number of ports, network resource pool and description.
  • Under port binding method, we can set it to static binding or Ephemeral (Dynamic method has been deprecated)
  • Read more about port binding and port allocation at VMware KB.
  • Below are the default settings under general
  • Next under advanced, we have reset at disconnect and we can also Allow or Disable policy overrides for ports. What does that mean?
  • Read the statements in para below marked with (***) at the end of paragraph.
  • Below are the default settings under Advanced.
  • Under VLAN, we get all options of standard switch plus we have additional options like VLAN, private VLAN and VLAN trunking. I’ll talk about VLANs in-dept in another post
  • Default setting is None for VLAN.
  • Under security, we have similar option as standard switch with variations in default settings as Reject for all three options.
  • Under Teaming and Failover, again similar settings we had standard switch with addition of one extra policy as load based teaming policy under load balancing policies.
  • Next under traffic shaping, since DVS supports Egress (Outbound) and Ingress (Inbound) both, you’ll see settings for both.
  • Under Monitoring, you can enable or disable NetFlow. Default it is set to Disabled.
  • Under Miscellaneous, you can set Block all ports to Yes or No. Read more here.

Interestingly enough, you did not see override checkmark on port groups here in DVS. Does that mean dv-Portgroup acts as parent?

Of course it acts as parent. But then who is acting as a child? Curious again?

So in DVS, it offers management granularity unlike standard switch. In DVS, portgroup acts as parent and every individual port will act as child. ***

How does that offer granularity?

You can configure all these policy settings we talked about per individual port in DVS. That offers excellent design possibilities and control over virtual network. In standard switches, max granularity we have till portgroup level, we cannot access ports in vSS. ***

Let’s see individual port properties now.

Port properties in DVS

I will not re-write options details below as they are same to dv-portgroup and settings will be inherited from dv-portgroup.

  • To access individual port properties, select dv-portgroup in inventory and navigate to Ports tab. Select the port number from list and click pencil icon on top.
  • On Edit Settings page, under properties, you can specify Name, description, and override network resource pool.
  • Under security, now we see that override option as discussed earlier.
  • Under traffic shaping,
  • Under VLAN,
  • Under Teaming and failover,
  • Under Monitoring,
  • And lastly under Miscellaneous,

As you can see, for each port, we can define different set of policies by overriding parent policies.

Conclusion

We have various options when it comes to setting networking policies. We can set them on Switch level or at port group level in standard switches. For DVS, We can set them at Portgroup level or at individual port level. Understand the parent child inheritance properties.

  • Be careful where you set the policy. For Example, If we enable promiscuous mode on switch level in vSS, it may turn in serious compliance issue as traffic visibility will be open to all.
  • Another example can be of traffic shaping, while entering speed settings, since it is in kbps, you’ll be doing some math here. Even unintentionally if you miss single digit that can create disaster for network performance.

Set your policies correctly and at correct place.

That is all for this post. I hope it’s informative. Check next post in this series here Part 4: Promiscuous mode

!!!Cheers!!!

Do share, like, comment if you find it helpful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.