vDCA550-Objective 2.1-3-Configure advanced vSS settings

There are several settings which you can change in the VSS

  1. Set the MTU Size
  2. Security Settings
  3. Traffic shaping
  4. Teaming and failover policies
  5. VLAN (additional)

You can change advance VSS Setting by Selecting the Virtual Switch and Click on “Pencil” Sign

vDCA550-Obj-2-1-confadvvsssettings-01

1-MTU Size.

From GUI:

You can change MTU Size by editing the VSS Setting -> Properties -> Set MUT Size in (Bytes)

MTU Stands for Maximum transfer Unit. You can set/change the size of MTU in bytes. By default its set to 1500. There is only one use case which I can think of to change the default MTU when use of Jumbo frames. Which can be used in case of NFS with 10G Ethernet. To enable Jumbo frame change the default MTU size into 9000.

NOTE: When you use Jumbo frame on ESXi. Make sure your physical switch and storage is also configured for Jumbo frame setting as well.

vDCA550-Obj-2-1-confadvvsssettings-02

Example:

Change the default MTU Size into “9000” of “vSwitch0”

#esxcli network vswitch standard set -m 9000 -v vSwitch0

Where –m (MTU) and –v (virtual Switch)

2-Security Settings

From GUI:

You can change Security Setting by editing the VSS Setting -> Security -> Change “Accept/Reject” from the Dropdown.

It is good practice to not change the default security policy. Unless you have a specific use case.

Promiscuous Mode: by default it is “Reject”. You can set it to “Accept” if you want to use an application in a virtual machine that analyzes or sniffs packers, such as a network-based intrusion detection system.

MAC Address Changes: By default this policy is set to “Accept” in VSS. If you set it to “Reject” it will help protect against certain attacks launched by a rogue guest operating system. If the guest (VM) attempts to change the MAC address assigned to the Virtual NIC. It stop receiving traffic to the VM in other words all inbound traffic to this VM has been stopped.

Forged Transmits: By default his policy is set to “Accept” in VSS. basically Forged transmits behavior is just opposite to the MAC Address change. If you set it to “Reject”.it will check the source MAC address. If it’s changed than it will drop all the outbound traffic from the VM. In other words forged Transmit occurs when a network adapter starts sending out traffic that pretending itself as someone else.

vDCA550-Obj-2-1-confadvvsssettings-03

From CLI:

Example:

Change the default “Promiscuous” Security Policy into “Accept” of a Port group “VM Network”

#esxcli network vswitch standard portgroup policy security set -p "VM Network" -o true

Where –o “–allow-promiscuous” and –p “–portgroup-name”

Similarly you can use –f (forged transmit) and –m (mac address change) option if above CLI command

3-Traffic shaping

From GUI:

You can change Traffic shaping by editing the VSS Setting -> Traffic Shaping -> Change “Enabled/Disabled” from the Dropdown.

With VSS you can only shape or limit outbound network traffic. By default this setting is “disabled” in VSS. However you can “enable” it and set the Network traffic limit in AVG/PEAK/BRUST.

vDCA550-Obj-2-1-confadvvsssettings-04

From CLI:

Example:

“Enable” Traffic shaping on “vSwitch0” and set the bandwidth (AVG 700/Brust 1024/Peak 900)

#esxcli network vswitch standard policy shaping set -v vSwitch0 -e true -b 700 -t 1024 -k 900

Where “-b|–avg-bandwidth=<long>”, “-t|–burst-size=<long>”, “-e|–enabled”, “-k|–peak-bandwidth=<long>” and “-v|–vswitch-name=<str>”

4-Teaming and failover policies

From GUI:

You can change Traffic shaping by editing the VSS Setting -> Teaming and Failover -> Change you desired settings.

NIC team policies allow you to determine how network traffic is distributed between adapters and how to reroute traffic in the event of an adapter failure. NIC teaming policies include load-balancing and failover settings. Default NIC teaming policies are set for the entire standard switch. You can override these default settings at the port group level.

I-Load Balancing Polices.

Routed Based on the Originating Virtual Port.

How it Works?

This policy is simple and default for VMMWARE in VSS. There is no additional setting required on the Physical switch. This policy is work like a round robin fashion. Suppose if you have multiple uplink as in active state attached to a Portgroup and this portgroup have multiple VMs. Then these VM are load balance over the physical NIC. Mean VM1 goes to vmnic1 and VM2 goes to vmnic2 and so on. It is bad some time because what if two high intensive VMs are ending up using the same virtual NIC.

Route Based on IP Hash

How it Works?

This policy required physical switch configuration and used for ether channel configuration. It checks source and destination IPs. If source is connecting to multiple different destination IP. Than it will utilized all the available physical NIC.

Route Based on Source MAC

How it Works?

This policy require no physical switch configuration. It work like the IP has policy means it checks source and destination MAC Address. If source is connecting to multiple different destination MACs. Than it will utilized all the available physical NIC. This is useful for LAB in nested environment.

Use explicit Failover Oder.

How it Works?

It does not do any kind of load balancing. If this is used it the first Active NIC on the list is used. If that one fails, the next Active NIC on the list is used, and so on, until you reach the Standby NICs. Keep in mind that if you select the Explicit Failover option and you have a vSwitch with many uplinks only one of them will be actively used at any given time. Use this policy only in circumstances where using only one link rather than load balancing over all links is desired or required.

II-Network Failure detection

Using this will detect the link state of the physical adapter.  If the physical switch fails or someone unplugs the cable from the NIC or the physical switch, failure will be detected and failover initiated. 

  • Link Status: only dectect link status not detect any misconfigurations such as VLAN pruning or spanning tree
  • Bacon probing: This setting requirement are limited to minimum 3 physical NICs.it will listen for beacon probes on all physical NICs that are part of the team.It will then use the information from the beacon probe to determine the link status.  This method will typically be able to detect physical switch misconfigurations as initiate a failover.

III-Notify Switch

If this is set to “Yes” which is default setting. Then switch can be notified in case of any failure or Virtual NIC is connected to Virtual Switch

IV-Failback

It tell us how a physical adapter is returned to active state after recovering from a failure

vDCA550-Obj-2-1-confadvvsssettings-05

From CLI:

Example 1:

Change the load balancing policy of “vSwitch0” into “IP based Hashing”

#esxcli network vswitch standard policy failover set -v vSwitch0 -l iphash

Where “-l|–load-balancing=<str> (portid, iphash, mac, explicit)” and “-v|–vswitch-name=<str>”

Example 2:

Change the “Network failover detection” method of “vSwitch0” into “beacon probing”

#esxcli network vswitch standard policy failover set -v vSwitch0 -f beacon

Where “-f|–failure-detection (link, beacon)” and “-v|–vswitch-name=<str>”

Example 3:

Set the “Notify Switch” option of a “vSwitch0” into “NO”

#esxcli network vswitch standard policy failover set -v vSwitch0 -n false

Where “-v|–vswitch-name” and “-n|–notify-switches”

Example 4:

Set the “failback” of “vSwitch0” into “no”

#esxcli network vswitch standard policy failover set -v vSwitch0 -b false

Where “-b|–failback” and “-v|–vswitch-name=<str>”

5-VLAN

It really not an advance setting of VSS. But is important. You can set it on the PortGroup level.

From GUI:

You can change/Set VLAN Setting -> Select and edit the Port Group on the Virtual Switch -> in the PortGroup Properties Enter the VLAN ID.

vDCA550-Obj-2-1-confadvvsssettings-06

From CLI:

Set the “VLAN ID” into 15 of a Portgroup “VM Network”

#esxcli network vswitch standard portgroup set -p "VM Network" -v 15

Where “-p|–portgroup-name” and “-v|–vlan-id”

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s