vSphere 6.7 ICM – Topic 5.2 – Configure virtual switch security , traffic -shaping and load -balancing policies

Continuing to vSphere 6.7 Install, Configure, and Manage modules, today we are going to cover vSphere networking which is one of the tough parts to know for VMware admins and have lot of difficulties while applying the network policies.

Points to Cover: –

  1. Understand Network Policies
  2. Security Polices
  3. Traffic Shaping
  4. Teaming & Failover
  5. Understand Load Balancing Policies
  6. What is MTU (Maximum Transmission Unit)

In last section, we learnt the concepts of vSphere Standard Switch and How to Create a vSwitch in a vSphere Environment. In this section, we are going to explore Configuring virtual switch security , traffic -shaping and load -balancing policies.

  • Standard Switch policies are configured for enhancing the security of complex virtual environment in a better way.
  • You can create multiple port groups in a standard switch, and then you can apply different policies at each port groups.
  • You can also apply same network policies for all port groups or standard switch.

Network Policies Applies at: –


How to Apply these Policies?

  • Login to vCenter server using Web client.
  • Click on host and go to Networking under Configure Tab.
  • Select Virtual Switch and Click on Pencil icon to Edit.


vSphere Standard Switch has following Network Policies:

  • Security

  • Traffic Shaping

  • Teaming & Failover

  • MTU

Security: –

2018-07-28 16_46_48-vSphere - cp-esxi-02.pathshala.com - Virtual switches

  • Promiscuous Mode (Accept or Reject)

    • It can be defined at Virtual Switch or Port Group level.
    • If you change to accept then the guest OS can recieve all traffic which passes through the vSwitch or portgroup.
    • When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the vSwitch.
    • When promiscuous mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing promiscuous mode. However, promiscuous mode can be explicitly disabled at one or more portgroups within the vSwitch.
    • By default, this policy is set to Reject on virtual switches (standard or distributed)
    • Let’s take an example that we have two port groups PG-A and PG-B. In PG-A, we have two Virtual Machines as VM-1 and VM-2. In PG-B, we have another two Virtual machines as VM-3 and VM-4.
    • If Promiscuous mode is set to Reject, PG-A and PG-B will not send traffic across and will only deliver packet as point to point delivery.
    • But if you set it to accept mode, than it will transfer the traffic to both PG-A and PG-B and it’s VM-1, VM-2, VM-3, VM-4.

promiscuous mode reject

  • MAC Address Changes (Accept or Reject)

    • This security policy is enabled by default in standard switch and disabled in Distributed Switch.
    • If it is in accepted mode, then host accepts requests to change the effective MAC address to different one than the original.
    • MAC Address Changes is concerned with incoming traffic.
    • All virtual machines have two MAC addresses:
      1. Initial MAC – It is generated automatically and that resides in the configuration file(VMX file). Guest OS has no control over the initial MAC Address.
      2. Effective MAC – It is configured by the guest operating system that is used during communication with other virtual machines. The effective MAC address is included in network communication as the source MAC of the virtual machine. Sometimes you put a manual MAC address in a VM, that is a effective MAC.
    • Let’s take an example, you have a Virtual machine with Initial MAC address 00:50:56:AF:3C:FG. Now, due to any reason you changed the MAC address of Virtual machine and Effective MAC address get change to 00:50:56:AF:3C:EH.
    • Virtual Machine’s Initial Address and Effective Address must agree with each other. If the guest OS changes the Effective Address, the port will compare the Effective Address to the Initial Address.
    • If security policy MAC Address Changes is set to Reject, then Initial Address and Effective Address will not agree with each other and it will result that Port will be administratively down.
    • If security policy MAC Address Changes is set to Accept, then new Effective MAC address will be agree to Initial MAC and it will be automatically updated in ARP table and Virtual Machine will work as usual.
  • Forged Transmits (Accept or Reject)

    • In this case, a host do not compare source and effective MAC which are transmitted from a VM.
    • Forged transmits is concerned with outgoing traffic.
    • If Forged Transmits is set to Reject, then traffic will not be passed from the virtual machine to the vSwitch (outgoing) if the initial and the effective MAC addresses do not match.
    • MAC Address Changes and Forged transmits are also used by Windows as a mechanism to protect against duplicate IP addresses on the network. If a Windows system detects an IP address conflict it will send out a forged transmit to reset the IP to the original MAC of the machine it think originally owned it and then take itself off the network. This protection mechanism for duplicate IP addresses won’t work without these security settings allowed.
    • It is set to Accept on Standard Switch and Reject on Distributed Switch.

Traffic Shaping: –

Traffic Shaping is the feature to control the quantity of traffic that is allowed to flow across a link. That is, rather than letting the traffic go as fast as it possibly can, you can set limits to how much traffic can be sent.

2018-07-28 16_46_51-vSphere - cp-esxi-02.pathshala.com - Virtual switches

You can configure a traffic shaping policy for each port group in Standard or Distributed Switch.

Traffic shaping is applied for outbound network traffic on standard switches and inbound and outbound traffic(Ingress or Egress traffic shaping) on distributed switches.

Traffic Shaping is defined by:

traffic shapping

  • Average bandwidth (100000 Kbits/Sec)

    • Establishes the number of bits per second to allow across a port, averaged over time.
    • This number is the allowed average load.
    • By default, traffic will get bandwidth what is defined in Average bandwidth.
  • Peak bandwidth (100000 Kbits/Sec)

    • Maximum number of bits per second to allow across a port when it is sending or receiving a burst of traffic.
    • This number limits the bandwidth that a port uses when it is using its burst bonus.
    • Average bandwidth can be exceed when needed by specifying a higher “Peak Bandwidth” value.
  • Burst size(102400 Kbytes)

    • Maximum number of bytes to allow in a burst that is allowed to be transmitted at the peak bandwidth rate in kilobytes.
    • When the port needs more bandwidth than specified by the average bandwidth, it might be allowed to temporarily transmit data at a higher speed if a burst bonus is available. So, when you need to send more traffic than the average bandwidth value allows, you transmit a burst of traffic, which is more than the allowed average bandwidth.
    • Traffic will be allowed to burst until the value of “Burst Size” has been exceeded.

Teaming & Failover: –

2018-07-28 16_46_56-vSphere - cp-esxi-02.pathshala.com - Virtual switches

  • Load Balancing Policy:

    • Route based on the originating virtual port ID

      • Each virtual machine has a virtual port ID on vSwitch. Port ID of a virtual machine is fixed while the virtual machine runs on the same host. If you migrate, power off, or delete the VM, its port ID on the virtual switch becomes free and port ID get change in next power on.
      • The vSwitch selects uplinks based on the virtual machine port IDs.
      • This load balancing method is used by default on Standard and Distributed Switches.
    • Route based on IP hash

      • Load balancing is based on the source/destination IP addresses.
      • vSwitch selects uplinks for virtual machines based on the source and destination IP address of each packet.
      • In IP Hash load balancing policy all physical switch ports connected to the active uplinks must be in EtherChannel mod.
      • This load balancing should be set for all port groups using the same set of uplinks.
      • Physical adapters attached on vSwitch must be in Active/Active.
      • Beacon probing is not supported with IP Hash.
    • Route based on source MAC hash

      •  Load balancing is based on Virtual machine’s MAC Address.
      • To calculate an uplink for a virtual machine, the virtual switch uses the virtual machine MAC address and the number of uplinks in the NIC team.
    • Use explicit failover order

      • It is based on Route Based on Originating Virtual Port. Virtual switch checks the load of the uplinks and takes steps to reduce it on overloaded uplinks.
  • Network Failure Detection Policy:

    • Link Status only

      • It is basically use to check the link if physical NIC is Up or down.
      • This option detects failures, such as cable pulls and physical switch power failures, but not configuration errors, such as a physical switch port being blocked by spanning tree or mis-configured to the wrong VLAN or cable pulls on the other side of a physical switch.
    • Beacon Probing

      • Beacon Probing is about checking of the health and connectivity between each vmnic (physical NIC) in the same vSwitch.
      • This option detects many of the failures in depth that are not detected by link status alone.
      • ESXi will send a small packet out of it’s physical network card, and see if this packet is received by the other physical network card within the same vSwitch.  If the vmnic receive the packet, it means that the connectivity between these two physical network is healthy.
      • You must have 3 Physical Network Port in the same vSwitch before you turn on Beacon Probing.  The reason is because if you have 2 Physical Network Port in the same vSwitch, and Beacon packet cannot reach each other, switch cannot determine which NIC needs to be taken out of service.
      • Do not use IP hash for load balancing.
  • Notify Switches Policy: (Yes/No)

    • By setting up Notify switches policy to “Yes”, you can determine how the ESXi host communicates failover events.
    • It is also used for updating MAC address information on physical switches.
  • Failback Policy: (Yes/No)

    • It uses when a failed physical NIC returns online, the vSwitch sets the NIC back to active by replacing the standby NIC.
    • By Default it is set to Yes.
  • Failover Order Policy:

It specifies how to distribute the work load for adapters.

    • Active Adapters

      • vSwitchContinue to use the adapter when the network adapter connectivity is available and active.
    • Standby Adapters

      • vSwitch uses this adapter if one of the active adapter’s connectivity is unavailable.
    • Unused Adapters

      • When a physical adapter is added to this section, vSwitch do not use this adapter.

What is MTU (Maximum Transmission Unit)?

  • A MTU (maximum transmission unit) is the largest size packet or frame, specified in octets (eight-bit bytes), that can be sent in a packet- or frame-based network such as the Internet.
  • Default size of MTU is 1500 Bytes which can be increased up to 9000 Bytes.
  • Jumbo Frames can be enabled on a vSwitch, vDS, and VMkernel Adapter.

2018-07-28 16_46_45-vSphere - cp-esxi-02.pathshala.com - Virtual switches

That’s all from this topic. As vSphere Networking is a complex and interesting topic, so I am planning to write a separate blog with detailed information on each points mentioned above. Stay tuned for coming blogs.

Thanks for visiting here. Share this article if you found it useful. Be sociable.