introduction
in previous articles here : we have discuussed how to create VSS virtual standard switch and how to create port group to manage multi network traffic types
this article considered as complementary to that article
so please make sure you have understand previous article before diving here
today we will talk about some advanced topic of VSS :
Switch network security policies
There are there network security policies for virtual switches that enable you to protect virtual machines from impersonation or interception attacks. These policies are:
Promiscuous Mode
- By default set to Reject which prevent guest operating systems from observing (Monitoring) all traffic passing through a virtual switch by some sniffing software or intrusion detection system .
- When Set this mode to Accept : this will allow a (packet sniffer) or intrusion detection system in the guest operating system to monitor traffic .
MAC Address Changes
- Set to Acceptby default. : which allow VM to change their MAC address
- when set toReject and the guest operating systems attempts to change the MAC address assigned to the virtual NIC, the virtual machine will stop receiving traffic.
Forget Transmits –
- Set to Accept by default.
- affects traffic that is transmitted from a virtual machine. When set to Reject, the virtual NIC drops frames that the guest operating system sends if the source MAC address is different than the one assigned to the virtual NIC.
Configure speed and duplex
sometimes you check the ESXi server and noticed the Ethernet leds on the server are orange instead of green
A physical adapter can become a bottleneck for network traffic if the adapter speed does not match application requirements.
You can change the connection speed and duplex of a physical adapter to transfer data in compliance with the traffic rate.
If the physical adapter supports SR-IOV, you can enable it and configure the number of virtual functions to use for virtual machine networking
traffic shaping [bandwidth management]
By default, all virtual network adapters connected to a virtual switch have access to the full amount of bandwidth on the physical network adapter with which the virtual switch is associated.
You can use the network traffic shaping policies to control a virtual machine’s network bandwidth. [called Bandwidth management ]
Traffic shaping is disabled by default.> To establish a traffic shaping policy, you can configure these three parameters:
- Average Bandwidth– the number of kilobits per second allowed across a port. This number is measured over a period of time and represents the allowed average load.
- Peak Bandwidth– the maximum number of kilobits per second allowed across a port when it is sending a burst of traffic. This number is used to limit the bandwidth during a burst and cannot be smaller than the average bandwidth number.
- Burst Size– the maximum number of kilobytes allowed in a burst. This option can allow a port that needs more bandwidth than is specified in the average bandwidth value to gain a burst of higher-speed traffic if a burst bonus is available.
A traffic shaping policy can be defined at either :
- the virtual switch level
- or the port group level,
with settings at the port group level overriding settings at the virtual switch level.
Please follow instructions below if you would lit to set bandwidth management
VSS load balancing policies
The load-balancing policy determines how ESXi hosts will use their uplink adapters.
there are Four load-balancing methods are available when using a VSS standard virtual switch:
1. Originating virtual port ID – a VM’s outbound traffic is mapped to a specific physical NIC. The NIC is determined by the ID of the virtual port to which the VM is connected. This is the default.
2. Source MAC hash – a VM’s outbound traffic is mapped to a specific physical NIC that is based on the virtual NIC’s MAC address.
3. IP hash – a NIC for each outbound packet is selected based on its source and destination IP address. This method requires the use of EtherChannel on the physical switch.
4. Explicit failover order – an adapter that is listed highest in the order of active adapters and passes failover detection criteria will be used.
A load balancing policy can be defined at either the virtual switch level or the port group level, with settings at the port group level overriding settings at the virtual switch level. Here are the steps for configuring load balancing on a standard virtual switch using the vSphere Web Client:
My opinion as Maher : I prefer to keep default settings ,
But if you are interested to change , Then >
Network failover detection
Network failover detection is a mechanism used to detect a network failure.
there are Two network failover detection methods are available in vSphere when using VSS
Link status only
- This is the default.
- relies on the link status provided by the network adapter.
- This method can detect failures like cable pulls and physical switch power failures,
- but can not detect configuration errors (e.g. wrong VLAN configuration of a physical switch port) or cable pulls on the other side of a physical switch.
Beacon probing
- probes are sent out and listened for on all NICs in the team.
- This method can determine link status and failures that the Link status only method can not,
- such as configuration errors and cable pulls on the other side of a physical switch.
- Beacon probing should not be used in conjunction with the IP Hash load-balancing policy.
