Saturday, January 10, 2009

Virtual Network Components

The key virtual networking components in a VMware Infrastructure are virtual Ethernet adapters and virtual switches. A virtual machine can be configured with one or more virtual Ethernet adapter. Virtual switches allow virtual machines on the same VMware ESX host to communicate with each other using the same protocols that would be used over physical switches, without the need for additional hardware. They also support VLANS that are compatible with standard VLAN implementations from other vendors, such as Cisco.

Connecting Virtual Machines to your Network

VMware technology lets you link local virtual machines to each other and to the external enterprise network through the virtual switch. The virtual switch emulates a traditional physical Ethernet network switch to the extent that it forwards frames at the data link layer. VMware ESX may contain multiple virtual switches, each providing more than 1,000 internal virtual ports for virtual machine use.

The virtual switch connects to the enterprise network through outbound Ethernet adapters. A maximum of eight Gigabit Ethernet ports or ten 10/100 Ethernet ports can be used by the virtual switch for external connectivity. The virtual switch is capable of binding multiple VMNICs together, in a manner much like NIC teaming on a traditional server, offering greater availability and bandwidth to the virtual machines using the virtual switch.

Virtual Ethernet Adapters

There are three types of adapters available for virtual machines in VMware Infrastructure 3.

  1. vmxnet is a paravirtualized device that works only if VMware Tools is installed on the Operating System. This adapter is optimized for virtual environments and designed for high performance.
  2. vlance emulates the AMD Lance PCNet32 Ethernet adapter. It is compatible with most 32-bit guest operating systems and can be used without VMware Tools.
  3. e1000 emulates the Intel E1000 Ethernet adapter and is used in either 64-bit or 32-bit virtual machines.

There are two other virtual adapters that are available through VMware technology. Vswif is a paravirtualized device similar to vmxnet that is used by the VMware ESX service console. Vmknic is a device in the VMkernal that is used by the TCP/IP stack to serve NFS and software iSCSI clients.

Virtual Switches

VMware technology includes virtual switches that you can build on demand at run-time to provide different functions, including:

  1. Layer 2 forwarding.
  2. VLAN tagging, stripping and filtering.
  3. Layer 2 security, checksum and segmentation offloading.

This modular approach reduces complexity and maximizes system performance, VMware virtualization technology loads only those components it needs to support the specific physical and virtual Ethernet adapter types used in the configuration. Additionally, the modular design enables VMware and third-party developers to incorporate new modules to enhance the system in the future. Up to 248 virtual switches can be created on each VMware ESX host. Following are important features of virtual switches:

  • Virtual ports: The ports on a virtual switch provide logical connection points among virtual devices and between virtual and physical devices. Each virtual switch can have up to 1,016 virtual ports, with a limit of 4,096 ports on all virtual switches on a host. The virtual ports provide a rich control channel for communication with the virtual Ethernet adapters attached to them.
  • Uplink ports: Uplink ports are associated with physical adapters, providing a connection between the virtual network and the physical networks. They connect to physical adapters when they are initialized by a device driver or when the teaming policies for virtual switches are reconfigured. Virtual Ethernet adapters connect to virtual ports when you power on the virtual machine, when you take an action to connect the device or when you migrate a virtual machine using VMware Vmotion.A virtual Ethernet adapter updates the virtual switch port with MAC filtering information when it is initialized or when it changes.
  • Port groups: Port groups make it possible to specify that a given virtual machine should have a particular type of connectivity on every host, and they contain enough configuration information to provide persistent and consistent network access for virtual Ethernet adapters. Some of the information contained in a port group includes virtual switch name, VLANIDs and policies for tagging and filtering, the teaming policy and traffic shaping parameters. This is all the information needed for a switch port.
  • Uplinks: With VMware technology, uplinks are the physical Ethernet adapters that serve as bridges between the virtual and physical network. The virtual ports connected to them are called uplink ports. A host may have up to 32 uplinks.

Other things to consider:

  • Virtual switches do not learn from the network to populate their forward tables. This helps to minimize denial of service attacks.
  • Virtual switches make private copies of frame data used to make forwarding or filtering decisions. This ensures the guest operating systems cannot access sensitive data once the frame is passed onto the virtual switch.
  • VMware technology ensures that frames are contained within the appropriate VLAN on a virtual switch 1) by carrying the data outside the frame as it passes through the virtual switch, and 2) because there is no dynamic trunking support that could open up isolation leaks, making the data vulnerable to attack.

Virtual Switches vs. Physical Switches

Virtual switches are similar to modern physical Ethernet switches in many ways. Like a physical switch, it maintains a MAC:port forward table and performs frame destination lookup and frame forwarding. It also supports VLAN segmentation at the port level, so that each port can be configured as an access or trunk port, providing access to either single or multiple VLANs.

However, unlike physical switches, virtual switches do not require a spanning tree protocol, because VMware Infrastructure 3 enforces a single-tier networking topology. There’s no way to interconnect multiple virtual switches. Also, network traffic cannot flow directly form one virtual switch to another within the same host. Virtual switches provide all the ports you need in one switch. You don’t need to cascade virtual switches or prevent bad virtual switch connections, and because they don’t share physical Ethernet adapters, leaks between switches do not occur. Each virtual switch is isolated and has its own forwarding table, so every destination the switch looks up can match only ports on the same virtual switch where the frame originated. This feature improves security, making it difficult for hackers to break virtual switch isolation.


1 comment:

Wobblyman said...

Good article, but I'm wondering if there is a way to monitor individual 'virtual ports' with SNMP, similar to a virtual switch? I'm trying to count individual virtual machine data to an from them in order to charge out. ? We are looking at PRTG at the moment, but only able to 'sniff' the traffic from the Virtuals.. This isn't the most reliable at the moment.