VCAP5-DCA Objective 2.3 – Deploy and maintain scalable virtual networking

Objectives

  • Understand the NIC Teaming failover types and related physical network settings
  • Determine and apply Failover settings
  • Configure explicit failover to conform with VMware best practices
  • Configure port groups to properly isolate network traffic

Understand the NIC Teaming failover types and related physical network settings

Official Documentation:
vSphere Networking, Chapter 5 “Networking Policies”, Section “Load balancing and Failover policies”, page 43

Summary:
Load Balancing and Failover policies determines how network traffic is distributed between adapters and how to reroute traffic in the event of an adapter failure.

The Load Balancing policy is one of the available Networking Policies, such as: VLAN, Security, Traffic Shaping Policy and so on.

The Failover and Load Balancing policies include three parameters:

  • Load Balancing policy: The Load Balancing policy determines how outgoing traffic is distributed among the network adapters assigned to a standard switch. Incoming traffic is controlled by the Load Balancing policy on the physical switch.
  • Failover Detection: Link Status/Beacon Probing
  • Network Adapter Order (Active/Standby)

Editing these policies for the vSS and vDS are done in two different locations within the Vsphere Client.

vSS, Host and Clusters, Configuration, Hardware, Networking. Select the desired vSS. “NIC teaming ” tab on the vSwitch level. Override on the Portgroup level.

Figure 1 vSS

vDS, via Networking. Select the desired vDS.
Configure on the dvPortgroup level. Override on the Port level.
Also on the dvUplink level.

Figure 2 vDS

The first Policy is Load Balancing; there are four/five options (vSS and vDS respectively):

  • Route based on the originating port ID: This setting will select a physical uplink based on the originating virtual port where the traffic first entered the vSS or vDS. This method is a simple and fast and no single-NIC VM gets more bandwith than can be provided by a single physical adapter. This is the default Load balancing Policy!
  • Route based on IP hash: This setting will select a physical uplink based on a hash produced using the source and destination IP address. This method has a higher CPU overhead but a better distribution of bandwith across the physical uplinks. This method allows a single-NIC VM might use the bandwith of multiple physical uplinks.
    When using IP hash load balancing:

    • The physical uplinks for the vSS or vDS must be in an ether channel[1] on the physical switch (LACP, 802.3ad link aggregation support)
    • All port groups using the same physical uplinks should use  IP hash load balancing policy

Figure 3 – Useful info…

  • Route based on source MAC hash: This setting is similar to IP hash in the fact that it uses hasing, but it uses hashing based on the source MAC address and does not require additional configuration on the physical switch. This method has low overhead and is compatible with all physical switches.
  • Use explicit failover order: This setting uses the physical uplink that is listed first under Active Adapters.
  • Route based on Physical NIC load (vDS ONLY): This setting determines which adapter traffic is routed to based on the load of the physical NICs listed under Active Adapters.
    This policy requires ZERO physical switch configurations and is true load balancing!
  • The next policy is Network Failover Detection; there are two option
    • Link Status only: Using this will detect the link state of the physical adapter.  If the physical switch fails or if someone unplugs the cable from the NIC or the physical switch, failure will be detected and failover initiated.  Link Status only is not able to detect misconfigurations such as VLAN pruning or spanning tree.
    • Beacon Probing: This setting will listen for beacon probes on all physical NICs that are part of the team (as well as send out beacon probes).  It will then use the information it receives from the beacon probe to determine the link status.  This method will typically be able to detect physical switch misconfigurations as initiate a failover.
      Note: Do not use beacon probing when using the IP hash load balancing policy
    • Select Yes or No for the Notify Switches policy.  Choosing Yes will notify the physical switches to update its lookup tables whenever a failover event occurs or whenever a virtual NIC is connected to the vSS.
      Note: If using Microsoft NLB in unicast mode set this setting to No
    • Select Yes or No for the Failback policy.  Choosing Yes will initiate a failback when a failed physical adapter becomes operational.  If you choose No then a failed physical adapter that becomes operational will only become active again if/when the standby adapter that was promoted fails
  • The last policy is Failover Order; this has three sections
    •  Active Adapters: Physical adapters listed here are active and are being used for inbound/outbound traffic.  Their utilization is based on the load balancing policy.  These adapters will always be used when connected and operational.
    • Standby Adapters: Physical adapters listed here are on standby and only used when an active adapter fails or no longer has network connectivity
    • Unused Adapters: Physical adapters listed here will not be use

When choosing the policy “Route based on IP hash”, it is important that the physical uplinks for the vSS or vDS must be in an ether channel  on the physical switch!

Other references:

  • VMware KB 1004048 Sample configuration of EtherChannel / Link aggregation with ESX/ESXi and Cisco/HP switches

Determine and apply Failover settings

Official Documentation:
vSphere Networking, Chapter 5 “Networking Policies”, Section “Load balancing and Failover policies”, page 43

Summary:
See previous objective.

Other references:

  • A

Configure explicit failover to conform with VMware best practices

Official Documentation:
vSphere Networking, Chapter 7 “Networking Best Practices”, page 75

Summary:
The vSphere Networking Guide contains a small section on Networking Best Practices.
I do recommend reading this chapter.

Concerning this objective, the idea is to separate network services from one another, provide bandwith and failover in case of failure.

From last year’s blog post “Configure VMware ESXi 4.1 Networking” comes this example, how to configure explicit failover.
The Management Network uses vmnic0 as a active uplink and vmnic1 as a Standby adapter. The second Portgroup vMotion is configured exactly the other way around.

Figure 4

Management Network
VLAN 2
Management Traffic is Enabled
vmk0: 192.168.2.53
vmnic0 Active / vmnic1 Standby
Load balancing: Use explicit failover order
Failback: No

vMotion
VLAN 21
vMotion is Enabled
vmk1: 192.168.21.53
vmnic1 Active / vmnic0 Standby
Load balancing: Use explicit failover order
Failback: No

Other references:

  • A

Configure port groups to properly isolate network traffic

Official Documentation:
vSphere Networking, Chapter 7 “Networking Best Practices”, page 75

Summary:
From the VMware Best Practices:

Keep the vMotion connection on a separate network devoted to vMotion. When migration with vMotion occurs, the contents of the guest operating system’s memory is transmitted over the network. You can do this either by using VLANs to segment a single physical network or by using separate physical networks (the latter is preferable).

To physically separate network services and to dedicate a particular set of NICs to a specific network service, create a vSphere standard switch or vSphere distributed switch for each service. If this is not possible, separate network services on a single switch by attaching them to port groups with different VLAN IDs. In either case, confirm with your network administrator that the networks or VLANs you choose are isolated in the rest of your environment and that no routers connect them.

In general, network administrators will tell you the same,

  • Separate traffic by introducing VLANs
  • Create one portgroup per VLAN
  • Separate vSphere Management Traffic (Management, vMotion, FT Logging) from Virtual Machine traffic and Storage traffic (iSCSI). Create separate switches for each categorie. This way, physical adapters will also be separated
  • Do not configure Virtual Machines with more than one NIC, unless necessary, e.g. firewall appliances and so on.
    Instead use firewalls to route traffic to other VLANs.

Other references:

Scott Drummond also collected some best practices in this post.


[1] Ether Channel, see: http://en.wikipedia.org/wiki/EtherChannel EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers and servers. In case you have a stacked switch, you can spread port over > 1 switches.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: