In this post we will continue implement vDS in for our lab configuration and cover the blueprint objective.
Describe vDS Security Polices/Settings:
vDS security policies can be applied to the switch in several locations:
- Apply policy per DPortGroup
- Apply policy per individual port
When you apply policy on a port group you will have the ability to give overwrite access to the ports too. for example if you like allow a specific port to use NetFlow you will need to allow NetFlow option on the DportGroup.
The following are the security polices that you can apply on the DPortGroup and on Individual port
Promiscuous Mode Operation – Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire. (Mostly used to sniff network traffic with application like tcpdump/wireshark and more)
MAC Address Changes:
- Accept option – ESXi accepts requests to change the effective MAC address to a different address than the initial MAC address.
- Reject option – ESXi does not honor requests to change the effective
Forged Transmits – The Forged transmits option affects traffic that is transmitted from a virtual machine.
- Accept option– ESXi does not compare source and effective MAC addresses.
- Reject option – protect against MAC impersonation.
Configure traffic shaping policies
Configure load balancing and failover policies
Load balancing and failover policies defined in the DPortGroup and VMware use the name Teaming and failover
Load balancing: VMware provide you few algorithm to configure you load balancing look at the drop down menu for all the options. also to get a deeper understanding on each one of the algorithm please look the VMware Networking guide (here is a screenshot)
Network failure detection: link status only relies only on the link status that the network adapter provides.beacon probing sends out and listens for Ethernet broadcast frames, that physical NICs send to detect link failure.
Notify link and failback : The virtual switch sends notifications over the network to update the lookup tables on physical switches and if set to failback ot will failback to the the standby NIC.
Configure dvPort group blocking policies:
You can block all port in dvPort group., before you do that READ the warning!!! this has a big impact on all VM’s connected to this dvPort group
Enable Jumbo Frames support on appropriate components:
If your switch and NIC’s support jumbo frames (which most of new HW do support) , you can change the MTU to jumbo frame size (9000).if you enable it on the switch dont forget to enable it to participant in the dVS
Enable TCP Segmentation Offload support for a virtual machine:
We can use TCP Segmentation Offload (TSO) in VMkernel network adapters and virtual machines to improve the network performance in workloads that have severe latency requirements.
before enabling this feature you will have to determine if TSO is supported on your physical NIC in the host. to do that you will need to connect to the ESXi CLI and run the following command : esxcli network nic tso get
If TSO if on your ESXi host you can enable it via the host advanced setting , search for Net.UseHwTSO
- To enable TSO, set Net.UseHwTSO and Net.UseHwTSO6 to 1.
- To disable TSO, set Net.UseHwTSO and Net.UseHwTSO6 to 0.
Configure VLAN/PVLAN settings for VMs:
To enable VLAN’s policy , you will have first to enable the VLAN policy at the uplink port level to allow all VLANsto access (VLAN trunking 0-4094) and than you can configure VLAN per dvPort group.
Private VLANS are basically iVLAN’s within VLAN , there are three type of private VLAN’s Promiscuous,community and isolated
- Promiscuous – ports on a private VLAN can communicate with ports configured as the primary VLAN.,
- Isolated – can communicate only with promiscuous ports,
- Community- can communicate with both promiscuous ports and other ports on the same secondary VLAN.
Thanks for reading