Module 3: Configuring

vSphere Networking

© 2023 VMware, Inc.

1
Importance
When you successfully configure ESXi networking, virtual machines can communicate with other
machines, both virtual and physical. Additionally, a successfully configured ESXi network allows the
VMkernel to operate remote host management and IP-based storage effectively.
vSphere standard switches provide effective networking for small environments. As you scale your
vSphere environment, the built-in features and functions of vSphere distributed switches can help you
manage networking in larger environments.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-2

2
Module Lessons
1. vSphere Standard Switches
2. Virtual Switch Networking Policies
3. vSphere Distributed Switches

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-3

3
Lesson 1: vSphere Standard Switches

© 2019 VMware Inc. All rights reserved.

4
Learner Objectives
• Identify virtual switch connection types
• Configure and view standard switch configurations

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-5

5
About Virtual Switches
Virtual switches connect VMs to the physical network.
They provide connectivity between VMs on the same ESXi host or on different ESXi hosts.
They also support VMkernel services, such as vSphere vMotion migration, iSCSI, NFS, and access to the
management network.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-6

6
Types of Virtual Switches
A virtual network supports standard and distributed switches. Both switch types are elastic, ports are
created and removed automatically:

• Standard switch: • Distributed switch:

– Virtual switch that is configured for a single – Virtual switch that is configured for an entire
host. data center.
– Up to 2,000 hosts can be attached to the
same distributed switch.
– The configuration is consistent across all
attached hosts.
– Hosts must either have an Enterprise Plus
license or belong to a vSAN cluster.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-7

7
 Types of Virtual Switch Connections
A virtual switch has specific connection types:
• VM ports
• VMkernel ports
– IP storage, vSphere vMotion migration, vSphere Fault Tolerance, vSAN, vSphere Replication, and
the ESXi management network
• Uplink ports
VM ports and VMkernel ports exist in port groups.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-8

The ESXi management network port is a VMkernel port that connects to network or remote services,
including vpxd on vCenter and VMware Host Client.
Each ESXi management network port as well as all other VMkernel ports must be configured with their
own IP address, netmask, and gateway.
To configure virtual switches, you create port groups. A port group is a template that stores configuration
information to create virtual switch ports on a virtual switch. Port groups can contain VM ports, which
connect VMs to one another with common networking properties. Port groups can also contain VMkernel
ports.
VM ports and VMkernel ports connect to the outside world through the physical Ethernet adapters that
are connected to the virtual switch uplink ports.

8
 Virtual Switch Connection Examples
Networks (port groups) can coexist on the same virtual switch or on separate virtual switches.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5-9

When you design your networking environment, you can group all your networks on a single virtual switch.
Alternatively, you can opt for multiple virtual switches, each with a separate network. The decision partly
depends on the layout of your physical networks.
For example, you might not have enough network adapters to create a separate virtual switch for each
network. Instead, you might place your network adapters in a single virtual switch and isolate the networks
by using VLANs.
Because physical NICs are assigned at the virtual switch level, all ports and port groups that are defined for
a particular switch share the same hardware.

9
 About VLANs and Virtual Switch Tagging
ESXi provides VLAN support by assigning a VLAN
ID to a port group. ESXi supports 802.1Q VLAN
tagging.
Virtual switch tagging is one of the supported
tagging policies:
• Frames from a VM are tagged as they exit the
virtual switch.
• Tagged frames arriving at a virtual switch are
untagged before they are sent to the destination
VM.
• The effect on performance is minimal.
Physical switch ports must be configured as trunk
ports.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 10

VLANs provide for logical groupings of switch ports. All virtual machines or ports in a
VLAN communicate as if they are on the same physical LAN segment. A VLAN is a
software-configured broadcast domain. Using a VLAN provides the following benefits:
•Creation of logical networks that are not based on the physical topology
•Improved performance by confining broadcast traffic to a subset of ports on a switch
•Cost savings by partitioning the network without the overhead of deploying new routers
VLANs are configured at the port group level. The ESXi host provides VLAN support through virtual
switch tagging, which is provided by giving a port group a VLAN ID. By default, the VLAN ID is 0. The
VMkernel takes care of all tagging and untagging as the packets pass through the virtual switch.
The port on a physical switch to which an ESXi host is connected must be defined as a static trunk port. A
trunk port is a port on a physical Ethernet switch that is configured to send and receive packets tagged
with a VLAN ID. No VLAN configuration is required in the VM. In fact, the VM does not know that it is
connected to a VLAN.
For more information about how VLANs are implemented, see VMware knowledge base article 1003806
at http://kb.vmware.com/kb/1003806.

10
 Viewing Standard Switches
In the vSphere Client, you can view a host’s standard switch configuration by selecting Virtual Switches
on the Configure tab.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 11

The slide shows the standard switch, vSwitch0, on the sa-esxi-01.vclass.local ESXi host. By default, the
ESXi installation creates a virtual machine port group named VM Network and a port group named
Management Network that contains a VMkernel port for management traffic. You can create additional
port groups for VMs and VMkernel ports. For example, you can create an IP Storage port group that
contains a VMkernel port for accessing iSCSI storage.
For performance and security, you should remove the VM Network virtual machine port group and keep
VM networks and management networks separated on different physical networks or VLANs.

11
Adding Standard Switches
You can add new standard switches to an ESXi host or configure existing ones using the vSphere Client
or VMware Host Client.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 12

12
VMkernel Adapter Properties
The VMkernel adapters pane shows details about the VMkernel interfaces, such as its name, the switch
on which it is located, the IP address, and enabled services.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 13

13
 VMkernel Adapter Properties: Enabled Services
You can activate services for the VMkernel adapter.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 14

Select from the available services:

•vMotion: Allows the VMkernel adapter to advertise itself to another host as the network
connection where vSphere vMotion traffic is sent.
•Provisioning: Handles the data transferred for virtual machine cold migration, cloning, and
snapshot migration.
•Fault Tolerance logging: Activates Fault Tolerance logging on the host.
•Management: Activates the management traffic for the host and vCenter.
•vSphere Replication: Handles the outgoing replication data that is sent from the source
ESXi host to the vSphere Replication server.
•vSphere Replication NFC: Handles the incoming replication data on the target replication
site.
•vSAN: Activates the vSAN traffic on the host.
•vSphere Backup NFC: VMkernel port setting for dedicated backup NFC traffic.
•NVMe over TCP: VMkernel port setting for dedicated NVMe over TCP storage traffic.
NVMe over TCP storage traffic goes through the VMkernel Adapter when NVMe over TCP
adapter is enabled.
•NVMe over RDMA: VMkernel port setting for dedicated NVMe over RDMA storage traffic.
NVMe over RDMA storage traffic goes through the VMkernel Adapter when NVMe over
RDMA adapter is enabled.

14
 Physical Adapter Properties
The Physical adapters pane shows adapter details such as speed, duplex, and networks.
Although the speed and duplex settings are configurable, the best practice is to leave the settings to auto
negotiation.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 15

You can change the connection speed and duplex of a physical adapter to transfer data in compliance with
the traffic rate.

15
Lab 7: Creating Standard Switches
Create a standard switch and a port group for virtual machines:
1. View the Standard Switch Configuration
2. Create a Standard Switch with a Virtual Machine Port Group
3. Attach Virtual Machines to the Virtual Machine Port Group

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 16

16
Review of Learner Objectives
• Identify virtual switch connection types
• Configure and view standard switch configurations

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 17

17
Lesson 2: Virtual Switch Networking Policies

© 2019 VMware Inc. All rights reserved.

18
Learner Objectives
• Explain how to set security policies for a virtual switch
• Explain how to set traffic shaping policies for a virtual switch
• Explain how to set NIC teaming and failover policies for a virtual switch

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 19

19
 About Networking Policies
As an administrator, you set networking policies on virtual switches to configure virtual network
properties, such as security, performance, and availability.
Depending on the virtual switch type, networking policies can be applied at different levels of the virtual
switch.

Virtual Switch Type Set Default Policy At Override Default Policy At

vSphere Standard Switch Standard switch level Port group level
vSphere Distributed Switch Distributed port group level Individual port level

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 20

The networking security policy provides protection against MAC address impersonation and unwanted
port scanning.
The traffic shaping policy is useful when you want to limit the amount of traffic to a VM or a group of VMs.

Use the teaming and failover policy to determine the following information:
•How the network traffic of VMs and VMkernel adapters connected to the switch is
distributed between physical adapters.
•How the traffic should be rerouted if an adapter fails.

20
 Configuring Security Policies
As an administrator, you can define security policies at both the standard switch level and the port group
level:
• Promiscuous mode: Allow or disallow all traffic to be forwarded, regardless of the destination.
• MAC address changes: Accept or reject inbound traffic when the MAC address is altered by the
guest.
• Forged transmits: Accept or reject outbound traffic when the MAC address is altered by the guest.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 21

For most cases, the recommended setting for all policies is Reject.

The network security policy contains the following exceptions:

•Promiscuous mode: Promiscuous mode allows a virtual switch or port group to forward
all traffic, regardless of their destinations. The default is Reject.
•MAC address changes: If this option is set to Reject and the guest attempts to change
the MAC address assigned to the virtual NIC, it stops receiving frames. The default is
Reject. Keep the default setting to help protect against attacks launched by a rogue guest
operating system.
•Forged transmits: A frame’s source address field may become altered by the guest and
contain a MAC address other than the assigned virtual NIC MAC address. You can set the
Forged Transmits parameter to accept or reject such frames. The default is Reject. Keep
the default setting to help protect against attacks launched by a rogue guest operating
system.
In general, these policies give you the option of disallowing certain behaviors that might compromise
security. For example, a hacker might use a promiscuous mode device to capture network traffic for
unscrupulous activities. Or, someone might impersonate a node and gain unauthorized access by spoofing
its MAC address.

Change the setting to Accept only for specialized use cases. Examples:
•Set Promiscuous mode to Accept to use an application in a VM that analyzes or sniffs
packets, such as a network-based intrusion detection system.
•Set MAC address changes and Forged transmits to Accept if your applications change
the mapped MAC address, as do some guest operating system-based firewalls.

21
Security Policies

© 2023 VMware, Inc.

22
 Traffic-Shaping Policies
Network traffic shaping is a mechanism for limiting a virtual machine’s consumption of available network
bandwidth.
Average rate, peak rate, and burst size are configurable.
Network traffic shaping is deactivated by default.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 22

The ESXi host shapes traffic by establishing parameters for the following traffic
characteristics:
•Average bandwidth (Kbps): Establishes the number of kilobits per second to allow across
a port, averaged over time. The average bandwidth is the allowed average load.
•Peak bandwidth (Kbps): The maximum number of kilobits per second to allow across a
port when it is sending a burst of traffic. This number tops the bandwidth that is used by a
port whenever the port is using the burst bonus that is configured using the Burst size
parameter.
•Burst size (KB): The maximum number of kilobytes to allow in a burst. If this parameter is
set, a port might gain a burst bonus if it does not use all its allocated bandwidth. Whenever
the port needs more bandwidth than the average bandwidth, the port might be allowed to
temporarily transmit data at a faster speed if a burst bonus is available. This parameter
tops the number of kilobytes that have accumulated in the burst bonus and so transfers at a
faster speed.

23
 Configuring Outbound Traffic Shaping
A traffic-shaping policy is defined by average bandwidth, peak bandwidth, and burst size.
Parameters apply to each virtual NIC in the standard switch.
On a standard switch, traffic shaping controls only outbound traffic. Outbound traffic travels from the
VMs to the virtual switch and out onto the physical network.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 23

A virtual machine’s network bandwidth can be controlled by activating the network traffic shaper.
The slide shows activating traffic shaping on a standard switch. The network traffic shaper, when used on
a standard switch, shapes only outbound network traffic. To control inbound traffic, use a load-balancing
system or turn on rate-limiting features on your physical router.

24
 Configuring NIC Teaming and Failover
With NIC teaming, you can
increase the network capacity of
a port group by including two or
more physical NICs in a team.
Add the physical NICs (or uplinks)
to the Active uplinks group.

VM traffic is load balanced across the Active uplinks using the

selected Load balancing option.
© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 24

NIC teaming increases the network bandwidth of the switch and provides redundancy. To determine how
the traffic is rerouted when an adapter fails, you include physical NICs in a failover order.
The load-balancing policy determines how network traffic is distributed between the network adapters in a
NIC team. Depending on the needs and capabilities of your environment, select load-balancing algorithms
to have the virtual switch distribute the network traffic between the physical NICs in a team. Virtual
switches only load balance outgoing traffic. Incoming traffic is controlled by the load-balancing policy on
the physical switch.

A failover order determines which links are active during normal operations, and which
links are active in the event of a failover. You can customize the following adapters in a
failover order list:
•Active: Use the NICs in this group whenever the NIC connectivity is up and active.
•Standby: Use a NIC in this group if one of the NICs is down.
•Unused: Do not use this NIC. NICs are placed in this group to reserve them for
emergencies. They can be moved to the Active group when needed.

25
 Load Balancing Method: Originating Virtual Port ID
With the load balancing method that is based on the originating virtual port ID, a virtual machine’s
outbound traffic is mapped to a specific physical NIC.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 25

To play the animation, go to https://vmware.bravais.com/s/JRjAEOiEo0jRe4mD7IWd

The load-balancing method that uses the originating virtual port ID is simple and fast and does not require
the VMkernel to examine the frame for the necessary information. The NIC is determined by the ID of the
virtual port to which the VM is connected. With this method, no single-NIC VM gets more bandwidth than
what can be provided by a single physical adapter.

This method has advantages:

•Traffic is evenly distributed if the number of virtual NICs is greater than the number of
physical NICs in the team.
•Algorithm overhead is low because, in most cases, the virtual switch calculates uplinks for
the VM only once.
•No changes on the physical switch are required.

This method also has disadvantages:

•The virtual switch does not take into account the traffic load on the uplinks. The virtual
switch does not load balance the traffic to uplinks that are used less.
•The bandwidth that is available to a VM is limited to the speed of the uplink that is
associated with the relevant port ID, unless the VM has more than one virtual NIC.

26
 Load Balancing Method: Source MAC Hash
A virtual machine's outbound traffic, when load balanced using the source MAC hash method, is mapped
to a specific physical NIC based on the virtual NIC’s MAC address.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 26

To play the animation, go to https://vmware.bravais.com/s/5kWE2uiGtaCVLFwz8S3z

The load balancing method based on source MAC hash has low overhead and is compatible with all
switches, but it might not spread traffic evenly across all the physical NICs. In addition, no single-NIC virtual
machine gets more bandwidth than a single physical adapter can provide.

This method has advantages:

•VMs use the same uplink because the MAC address is static. Powering a VM on or off
does not change the uplink that the VM uses.
•No changes on the physical switch are required.

This method has disadvantages:

•The bandwidth that is available to a VM is limited to the speed of the uplink that is
associated with the relevant port ID, unless the VM uses multiple source MAC addresses.
•Algorithm overhead is higher than with a route based on the originating virtual port
because the virtual switch calculates an uplink for every packet.
•The virtual switch is not aware of the load of the uplinks, so uplinks might become
overloaded.

27
 Load Balancing Method: Source and Destination IP Hash
With the IP-based load balancing method, a NIC for each outbound packet is selected based on its
source and destination IP addresses.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 27

To play the animation, go to https://vmware.bravais.com/s/Z4td6qx8jCjFtYLycPl0

The IP-based method requires 802.3ad link aggregation support or an EtherChannel on the switch. The
Link Aggregation Control Protocol (LACP) is a method to control the bundling of several physical ports to
form a single logical channel. LACP is part of the IEEE 802.3ad specification.
EtherChannel is a port trunking technology that is used primarily on Cisco switches. With this technology,
you can group several physical Ethernet links to create one logical Ethernet link for providing fault
tolerance and high-speed links between switches, routers, and servers.
With this method, a single-NIC virtual machine might use the bandwidth of multiple physical adapters.
The IP-based load balancing method only affects outbound traffic. For example, a VM might select a
particular NIC to communicate with a particular destination VM. The return traffic might not be handled on
the same NIC as the outbound traffic, but by another NIC in the same NIC team.

This method has advantages:

•The load is more evenly distributed compared to the route based on the originating virtual
port and the route based on source MAC hash because the virtual switch calculates the
uplink for every packet.
•VMs that communicate with multiple IP addresses have a potentially higher throughput.

This method has disadvantages:

•Algorithm overhead is the highest compared to the other load balancing algorithms.
•The virtual switch is not aware of the actual load of the uplinks.
•Changes on the physical network are required.
•The method is complex to troubleshoot.

28
 Detecting and Handling Network Failure
Network failures are monitored and detected by
the VMkernel. The VMkernel monitors the link state
and performs beacon probing (if selected) on one
second intervals to ensure network uptime.
If the VMkernel determines a network failure, the
VMkernel notifies physical switches of changes in
the physical location of a MAC address.
Failover is implemented by the VMkernel based on
configurable parameters:
• Failback: How the physical adapter is returned to
active duty after recovering from failure.
• Load-balancing option: Use explicit failover order.
Always use the vmnic uplink at the top of the
active adapter list.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 28

Monitoring the link status that is provided by the network adapter detects failures such as cable pulls and
physical switch power failures. This monitoring does not detect configuration errors, such as a physical
switch port being blocked by the Spanning Tree Protocol or misconfigured VLAN membership. This
method cannot detect upstream, nonphysically connected switch or cable failures.
Beacon probing introduces a 62-byte packet load approximately every 1 second per physical NIC. When
beacon probing is activated, the VMkernel sends out and listens for probe packets on all NICs that are
configured as part of the team. This technique can detect failures that link-status monitoring alone cannot.
A specific network topology is required for beacon probing to work. Consult your switch manufacturer to
verify the support of beacon probing in your environment. For information on beacon probing, see
VMware knowledge base article 1005577 at http://kb.vmware.com/kb/1005577.
A physical switch can be notified by the VMkernel whenever a virtual NIC is connected to a virtual switch.
A physical switch can also be notified whenever a failover event causes a virtual NIC’s traffic to be routed
over a different physical NIC. The notification is sent over the network to update the lookup tables on
physical switches. In most cases, this notification process is beneficial because, without it, VMs experience
greater latency after failovers and vSphere vMotion operation.
Do not set this option when the VMs connected to the port group are running Microsoft Network Load
Balancing (NLB) in unicast mode. NLB in multicast mode is unaffected. For more information about the NLB
issue, see VMware knowledge base article 1556 at http://kb.vmware.com/kb/1556.
When using explicit failover order, always use the highest order uplink from the list of active adapters that
pass failover-detection criteria.

The failback option determines how a physical adapter is returned to active duty after
recovering from a failure:
•If Failback is set to Yes, the failed adapter is returned to active duty immediately on
recovery, displacing the standby adapter that took its place at the time of failure.
•If Failback is set to No, a failed adapter is left inactive even after recovery, until another
currently active adapter fails, requiring its replacement.

29
Physical Network Considerations
Your virtual networking environment relies on the physical network infrastructure. As a vSphere
administrator, you should discuss your vSphere networking needs with your network administration team.
The following issues are topics for discussion:
• Number of physical switches
• Network bandwidth required
• Physical switch configuration support for 802.1Q, for VLAN tagging
• Physical switch configuration support for NIC teaming: 802.3ad, Link Aggregation Control Protocol
(LACP), or EtherChannel
• Network port security
• Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) and their operation modes,
such as listen, broadcast, listen and broadcast, and disabled

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 29

30
Activity: Networking Security Policy (1)
Which statement accurately describes Promiscuous mode when it is set to Accept?
(Choose one.)
o The ESXi host is allowed to drop network packets that seem suspicious.
o An administrator provides enhanced security to the virtual switch.

o An administrator can use a network-based intrusion detection system in a VM.

o The guest OS is given permission to change the VM's MAC address.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 30

31
Activity: Networking Security Policy (2)
Which statement accurately describes Promiscuous mode when it is set to Accept?
(Choose one.)
o The ESXi host is allowed to drop network packets that seem suspicious.
o An administrator provides enhanced security to the virtual switch.

 An administrator can use a network-based intrusion detection system in a VM.

o The guest OS is given permission to change the VM's MAC address.
When promiscuous mode is set to Accept, an administrator can run legitimate software such as a
network-based intrusion detection system. However, when this mode is enabled, the virtual switch is
vulnerable to security breaches.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 31

32
Activity: Traffic Shaping Policy (1)
Which statement accurately describes the traffic
shaping policy configuration?
(Choose one.)
o Traffic shaping is activated on the entire
standard switch.
o The traffic shaping policy for the TestDev port
group overrides the policy defined on the
standard switch.
o The bandwidth used for normal operation by
VMs on the TestDev port group is 100 Mbps.
o The Accounting port group is subject to traffic
shaping, with an average bandwidth of 1 Gbps.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 32

33
Activity: Traffic Shaping Policy (2)
Which statement accurately describes the traffic
shaping policy configuration?
(Choose one.)
o Traffic shaping is activated on the entire
standard switch.
 The traffic shaping policy for the TestDev port
group overrides the policy defined on the
standard switch.
o The bandwidth used for normal operation by
VMs on the TestDev port group is 100 Mbps.
o The Accounting port group is subject to traffic
shaping, with an average bandwidth of 1 Gbps.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 33

34
Activity: NIC Teaming and Failover Policy (1)
The load balancing method called Originating Virtual Port ID is only available on distributed switches.
o True
o False

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 34

35
Activity: NIC Teaming and Failover Policy (2)
The load balancing method based on the originating virtual port ID is only available on distributed
switches.
o True
 False
The load balancing method based on physical NIC load is the only method supported on distributed
switches.
The load balancing method that is only available on distributed switches is the Route based on physical
NIC load option. This method ensures that physical NIC capacity in a NIC team is optimized.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 35

36
Review of Learner Objectives
• Explain how to set security policies for a virtual switch
• Explain how to set traffic shaping policies for a virtual switch
• Explain how to set NIC teaming and failover policies for a virtual switch

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 36

37
Lesson 3: vSphere Distributed Switches

© 2019 VMware Inc. All rights reserved.

38
Learner Objectives
• Recognize the difference between standard switches and distributed switches
• Identify the benefits and features of distributed switches
• Create a distributed switch

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 38

39
 About Distributed Switches
A distributed switch functions as a single virtual switch across all associated hosts. Distributed switches
have several benefits over standard switches:
• Distributed switches centralize the virtual network administration, and simplifies the data center
administration.
• Distributed switch ports are statically assigned by vCenter and offer more granular control over
network statistics and policies.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 39

Standard switches are configured at the host level. Distributed switches are configured at the data center
level, which gives distributed switches the following advantages:
•Data center setup and administration are simplified through this centralized network
configuration. For example, adding a host to a cluster and making it compatible with
vSphere vMotion is much easier than with a standard switch.
•Distributed ports migrate with their VMs. For example, when you migrate a VM with
vSphere vMotion, the distributed port statistics and policies move with the VM, which
simplifies debugging and troubleshooting.

40
 Distributed Switch Architecture
Managed by vCenter, a distributed switch is a logical entity that you can use to create and maintain a
consistent virtual networking configuration throughout all your ESXi hosts.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 40

A distributed switch moves network management components to the data center level.

The distributed switch architecture consists of the control plane and the I/O plane.
•The control plane resides in vCenter. The control plane configures distributed switches,
distributed port groups, distributed ports, uplinks, NIC teaming, and so on. The control
plane also coordinates the migration of the ports and is responsible for the switch
configuration.
•The I/O plane is implemented as a hidden virtual switch in the VMkernel of each ESXi
host. The I/O plane manages the I/O hardware on the host and is responsible for
forwarding packets. vCenter oversees the creation of these hidden virtual switches.
Each distributed switch includes distributed ports. You can connect any networking entity, such as a VM or
a VMkernel interface, to a distributed port. vCenter stores the state of distributed ports in the vCenter
database.
With a distributed port group, you can logically group distributed ports to simplify configuration. A
distributed port group specifies port configuration options for each member port on a distributed switch.
Ports can also have their own unique configuration.
Uplinks are abstractions of vmnics from multiple hosts to a single distributed switch. An uplink is to a
distributed switch what a vmnic is to a standard switch. Two VMs on different hosts can communicate with
each other only if both VMs have uplinks in the same broadcast domain.

41
Standard and Distributed Switches: Shared Features
Standard and distributed switches share some features.

Feature Standard Switch Distributed

Switch
Layer 2 switch ✓ ✓
VLAN segmentation ✓ ✓
802.1Q tagging ✓ ✓
IPv4 and IPv6 support ✓ ✓
NIC teaming ✓ ✓
Outbound traffic shaping ✓ ✓

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 41

42
 Distributed Switch Features
Distributed switches have several features that standard switches do not have.

Feature Standard Switch Distributed Switch

Inbound traffic shaping ✓
Configuration backup and restore ✓
Private VLANs ✓
Link Aggregation Control Protocol ✓
Data center level management ✓
vSphere vMotion migration of network state ✓
Network I/O Control ✓
Per-port policy settings ✓
Port state monitoring ✓
NetFlow ✓
Port mirroring ✓
Support for NSX ✓

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 42

During a vSphere vMotion migration, a distributed switch tracks the virtual networking state (for example,
counters and port statistics) VMs moving between hosts. This tracking provides a consistent view of a
virtual network interface, regardless of the VM location or vSphere vMotion migration history.
Tracking simplifies network monitoring and troubleshooting activities when migrating VMs between hosts
using vSphere vMotion.

43
Viewing Distributed Switches
In the vSphere Client, you can view the distributed switch configuration using the Topology pane in the
Configure tab.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 43

44
 Discovery Protocols
Switch discovery protocols help network administrators gather configuration and connection information
about physical or virtual switches.
vSphere supports the following discovery protocols:
• Cisco Discovery Protocol (CDP): For vSphere standard switches and distributed switches connected
to Cisco physical switches
• Link Layer Discovery Protocol (LLDP): A vendor-neutral protocol for distributed switches only
Standard switches can be configured to use CDP.
Distributed switches can use CDP or LLDP.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 44

Switch discovery protocols help network administrators determine the capabilities of a network device.
Such information might help in troubleshooting network problems.
Cisco Discovery Protocol (CDP) was developed by Cisco Systems to broadcast connected device
information at network layer 2. CDP is supported in vSphere since version 4.0.
Link Layer Display Protocol (LLDP) supports the standards-based IEEE 802.1AB discovery protocol and is
available on distributed switches only.
Network devices use CDP or LLDP to advertise their identity, capabilities, and neighbors on a network.

45
 Configuring CDP or LLDP
With CDP or LLDP enabled, you can configure a
virtual switch for different modes of operation:
• Listen: Information is received from the physical
switches.
• Advertise: Information is sent to the physical
switches.
• Both: Information is both sent to and received
from the physical switches.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 45

With CDP and LLDP, the vSphere Client can identify properties of a physical switch, such as switch name,
port number, and port speed or duplex settings. You can also configure CDP or LLDP so that information
about physical adapters and ESXi host names is passed to the CDP or LLDP compatible switches.
You can configure the discovery protocol to use one of the following modes of operation:
•Listen (default): The ESXi host detects and displays information about the associated
physical switch port, but information about the virtual switch is not available to the physical
switch administrator.
•Advertise: The ESXi host provides information about the virtual switch to the physical
switch administrator but does not detect and display information about the physical switch.
•Both: The ESXi host detects and displays information about the associated physical switch
and provides information about the virtual switch to the physical switch administrator.
You can use the esxcli command to enable CDP on a standard switch.

46
 About Port Binding
Port binding determines when and how a VM
virtual NIC is assigned to a virtual switch port.
Port binding is configured at the distributed port
group level, and binding options include:
• Static binding (default): vCenter assigns a
permanent port for the VM or VMkernel
interface.
• Ephemeral: ESXi (not vCenter) assigns the
port to the VM. The assigned port changes
when the VM reboots.
Port allocation options for static binding:
• Elastic (default): When all ports are assigned, a
new set of eight ports is created.
• Fixed: No additional ports are created when all
ports are assigned.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 46

When you connect a VM to a port group that is configured with static binding, a port is immediately
assigned and reserved for the VM, guaranteeing connectivity at all times. The port is disconnected only
when the VM is removed from the port group. Static binding is recommended for general use.
If you select static binding, the default number of ports is set to eight. Elastic is the default port allocation
setting.
With ephemeral binding, a port is created and assigned to a VM when the VM is powered on and its NIC is
in a connected state. The port is deleted when the VM is powered off or the VM NIC is disconnected.
You can make ephemeral port assignments through the ESXi host and vCenter, providing flexibility in
managing VM connections through the host when vCenter is down. Only an ephemeral binding allows you
to modify VM network connections when vCenter is down. However, network traffic is unaffected by a
vCenter failure, regardless of the port binding type.
Use ephemeral port groups only for recovery purposes when you want to provision ports directly on an
ESXi host, bypassing vCenter, and not in any other case.

47
 Configuring Inbound Traffic Shaping
Distributed switches support inbound traffic shaping and outbound traffic shaping.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 47

Where outbound (or egress) traffic shaping is supported by both standard switches and distributed
switches, inbound (or ingress) traffic shaping is supported only by distributed switches.
Inbound traffic is traffic traveling from the physical network to the virtual switch to the VMs.

48
 Load Balancing Method: Physical NIC Load
This method is supported only on distributed switches and is the recommended policy for distributed port
groups.

Load balancing based on physical NIC load ensures

that physical NIC capacity in a NIC team is
optimized. This feature works in the following ways:
• It moves I/O flows among uplinks.
• A flow is moved only when the mean send or
receive utilization of an uplink exceeds 75
percent of the capacity over a 30-second
period.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 48

To use this method, edit the distributed port group settings, and select Route based on physical NIC load.
This NIC teaming method checks the real load of the uplinks and reduces the load on overloaded uplinks.
No changes on the physical switch are required.
The distributed switch calculates uplinks for VMs by checking the VM port ID and the number of uplinks in
the NIC team. The distributed switch tests the uplinks every 30 seconds. If the load of an uplink exceeds
75 percent of usage, the port ID of the VM with the highest I/O is moved to a different uplink.
Route based on physical NIC load is not the default teaming policy. You must configure the policy to use it
on a distributed switch.

This method has advantages:

•Low algorithm overhead because the distributed switch calculates uplinks for virtual
machines only once and checking the uplinks has minimal impact.
•The distributed switch is aware of the load of uplinks and takes care to reduce it if needed.
•No changes on the physical switch are required.

This method has disadvantages:

•The bandwidth that is available to virtual machines is limited to the uplinks that are
connected to the distributed switch.

49
Lab 8: Configuring vSphere Distributed Switches
Create and configure a distributed switch:
1. Create a Distributed Switch
2. Add ESXi Hosts to the Distributed Switch
3. Verify Your Distributed Switch Configuration

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 49

50
Review of Learner Objectives
• Recognize the difference between standard switches and distributed switches
• Identify the benefits and features of distributed switches
• Create a distributed switch

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 50

51
Key Points
• Virtual switches can have the following connection types: VM ports, VMkernel port, and physical
uplinks.
• A standard switch is a virtual switch configuration for a single host.
• A distributed switch provides functions that are similar to a standard switch. But the distributed switch
defines a single configuration that is managed by vCenter and is shared across all associated hosts.
• You set networking policies on virtual switches to configure properties for security, performance, and
availability.
• Network policies set at the standard switch level can be overridden at the port group level. Network
policies set at the distributed switch port group level can be overridden at the individual port level.
Questions?

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 5 - 51

52