Objective 3.3 – Configure and Manage vSS and vDS Policies

Knowledge

  • Identify common vSS and vDS policies
    • Common Security Policies
      • Promiscuous Mode (default is reject) – When enabled, allows a VM to see all traffic passing through the vSwitch
      • MAC address changes (default is accept) – Determine whether a VM is permitted to receive traffic on a changed MAC address. May be required for NLB or Windows Clustering.
      • Forged Transmits (default is accept) – Determine whether a VM is permitted to transmit traffic on a changed MAC address.
  • Configure dvPortgroup blocking policies
    • Block single port with Web Client
      • Go to vCenter Home and Networking
      • Expand the Datacenter object
      • Click on the vDS object
      • Manage > Ports
      • Find the port ID in the list
      • Select the port ID click the pencil icon to edit
      • Go to the Miscellaneous section and select “Block port”, and change the Override to “yes”
      • Click OK to apply the setting
    • Block all ports on a Distributed Port Group with Web Client
      • Go to vCenter Home and Networking
      • Expand the Datacenter object
      • Right click on the vDS object and select “Edit settings”
      • Go to the Miscellaneous section and change “Block all ports” to “yes”
      • Click OK to apply the setting
  • Configure load balancing and failover policies
    • vSS – Default policies are set on the vswitch, these can be overridden on the port group.
    • vDS – Policies are set on each Distributed Port Group
    • Load Balancing
      • Route basd on IP hash – requires Etherchannel (or LACP on vDS) on the physical switch
      • Route based on source MAC hash – similar to above, but doesn’t need channel bonding
      • Router basd on originating virtual port – traffic exits through the same port it came in on
      • Use explicit failover order – no load balancing, just failover
      • Route based on physical NIC load (vDS only) – distributes the load based on traffic volume
    • Network Failover Detection
      • Link Status Only – This uses the link state of the physical NIC. If the switch fails or the cable gets unplugged, the failure will be detected and failover will be initiated. This cannot detect if the switch becomes isolated, or misconfigured.
      • Beacon Probing – This sends and listens for beacon probes on all NICs that are part of the team. This is used to determine whether a NIC has connectivity, and can detect more failures than LSO. Do not use in conjunction with IP hash Load Balancing
      • Notify Switches – If set to “yes” then physical switches will be notified to update MAC/ARP tables in the event of a failover. Do not use when using Microsoft NLB in unicast mode.
      • Failback Policy – If set to “yes” then return to the original configuration after a NIC failure has been resolved, if set to “no” continue in failover mode.
  • Configure VLAN settings
    •  vSS
      • Configured on the port group, under Edit Settings and Properties, configure the chosen VLAN ID or set to 0 to use the base VLAN on the physical switch port.
    • vDS
      • Configured on the distributed port group, under Manage, Settings, Edit, VLAN
        • None – no VLAN tagging
        • VLAN – Enter the VLAN ID to be used
        • VLAN Trunking – Enter the range of VLANs to be trunked
        • Private VLAN – Enter the private VLAN to be used (must be configured on the vDS first)
  • Configure traffic shaping policies
    • vSS
      • Configured on the vSwitch or port group, under Edit Settings and Properties
      • Applies only to egress traffic
    • vDS
      • Configured on the distributed port group, under Manage, Settings, Edit, Traffic Shaping
      • Applies to ingress and/or egress traffic
    • Policies:
      • Average Bandwidth – determines the Kbits/sec allowed to traverse each port, averaged over time.
      • Peak Bandwidth – the maximum rate the bandwidth can burst to
      • Burst Size – the amount of data allowed to burst up to the Peak Bandwidth rate
      • Network IO Control – under “Resource Allocation” tab, only applies to egress traffic. Create a new policy group and apply to a port group
  • Enable TCP Segmentation Offload (TOE) support for a virtual machine
    • TOE is enabled when using the VMXNet3 network adapter
  • Enable Jumbo Frame support on appropriate components
    • Enable on the vSwitch (vSS or vDS), enable on vmknics, enable on VMs by installing the VMXNet3 adapter and enabling within the Guest OS.
    • Normally only enable for iSCSI and/or vMotion
  • Determine appropriate VLAN configuration for a vSphere implementation
    • There is no single appropriate configuration to put here. Understand the following:
      • External Switch Tagging – all tagging occurs at the physical switch
      • Virtual Switch Tagging – all tagging occurs at the virtual switch. The physical switch ports must be configured as trunk ports. Port groups must have the VLAN ID specified.
      • Virtual Machine Tagging – tagging is done by the VM. The Guest OS must be able to handle 802.1Q traffic. The physical switch ports must be configured as trunk ports.
      • Private VLANs – Understand PVLANs and where/why to use them.

Tools

  • vSphere Installation and Setup Guide
  • vSphere Networking Guide
  • vSphere Web Client
  • vSphere Client
Advertisements

One thought on “Objective 3.3 – Configure and Manage vSS and vDS Policies

  1. Pingback: VMware VCP-NV NSX Study Resources | darrylcauldwell.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s