VCP 5 – Objective 2.3 – Configure vSS and vDS Policies

Identify common vSS and vDS policies

vSS and vDS common policies include
  • Security Policies
    • Promiscuous Mode (Reject by Default) – Allows a VM to see all traffic flowing through the switch, even that which is not destined for that VM.
    • MAC Address Changes (Accept by Default) – Can block or allow traffic destined to a VM which has had it's effective MAC Address changed.  May need to change the effective MAC address on a VM in order to support Microsoft NLB.
    • Forged Transmits (Accept by Default)  – Essentially the same as MAC Address Changes except dealing with traffic being transmitted by the VM.
  • Traffic Shaping – Outound on vSS and Inbound and Outbound on vDS
    • Peak Bandwidth (kilobits/sec) – Maximum amount of bandwidth a switch can pass without dropping packets.
    • Average Bandwidth (kilobits/sec ) – Data transfer per second across the switch.
    • Burst Size ( KB ) – Maximum amount of data included in a burst.
Configure dvPort group blocking policies
Port blocking can be done on either the complete port group, or a single port itself.  To edit the port group settings right click the port group and select 'Edit Settings'  Port blocking will be found on the Policies page under the Miscellaneous group.  You can select to Block All Ports.  This stops inbound and outbound traffic from flowing through the ports in the port group.  Now if you go to the ports tab of the Port Group you can select whether to block on the specific port or not.
Configure load balancing and failover policies
Load Balancing and failover policies can be set on the vSwitch as well as the port group.  Any settings on the port group will override whatever is set on the switch as a hole.  The load balancing and failover options are as follows…
Load Balancing options are as follows
  • Route Based on originating port ID. – This is the default when selecting load balancing.  Essentially traffic will exit through the same port that it was sent in on.
  • Route Based on IP Hash – A hash is produced using the source and destination IP Addresses and used to determine which nic is used.  All ports on the physical switch must be part of an etherchannel (i call it a lag) group.  This is one of the most truest load balancing options as it will utilize all links, however not recommended if most traffic is just coming from the same IP as the hash would always be the same.
  • Route Based on MAC Hash – Similar to the IP Hash as it does a calculation.  You do not need ports bonded together for this one though.
  • Use explicit failover order – just as it states, you can set a desired failover order for your NICs.
  • Route Based on Physical Nic load – only available on a dvswitch.  Monitors load on the physical NICs and will reconfigure VMs to use different NICs in order to distribute all the load across all of the NICS.

Network Failover Detection has a few options

  • Link Status Only – monitors just the status of the link to detect a network failure.  Thus, only helps if the port on the physical switch connected to the host fails or is unplugged.
  • Beacon Probing – this sends a probe down the line and can detect upstream failures past the initial port is connected to.  Useful in situations where there is now physical connection to the first switch down the line such as configurations like hp c class blades.
  • Notify Switches – Used to notify upstream switches when a failover event has occurred or when a vNIC is connected.
  • Failback – Should we fail back to the original NIC when it becomes operational again?
  • Then there is the failover order, which gives you the ability to group your NICs in an active, standby or unused group.
Configure VLAN settings
On a VSS you simply input the VLAN id that you would like associated with that switch and/or port group.
On a vDS there are a few options in regards to VLANS.
  • None – No VLAN tagging will be performed
  • VLAN – Enter the VLAN ID to be used for tagging.
  • VLAN Trunking – Enter a range of VLANs to be trunked
  • Private VLAN – Select a private VLAN to be used.  Private VLANs themselves have a few different configurations.
    • Promiscuous – Any node in this group will be able to send and receive to any node in any other group within the primary VLAN.
    • Isolated – May communicate only send/receive packets to the promiscuous group.
    • Community – May communicate with other nodes in the same community group and the promiscuous group.
Configure traffic shaping policies
Traffic Shaping can be applied and configured on both the vSS and the vDS with the exception being the vSS only supports egress (outgoing) traffic whereas the vDS supports both ingress and egress.
On a vSS it is applied to the vSwitch, then propagated down to the port group, where it can then be overridden, on the vDS it is applied on the dvPort Group and subsequently overridden on the individual port.
There are three main settings for traffic shaping..
  • Average Bandwidth (Kilobits/sec) – allowed number of kilobits per sec averaged over time.
  • Peak Bandwidth (Kilobits/sec) – maximum amount of kilobits per sec
  • Burst Size ( KB ) – Maximum number of bytes to allow in a burst.
Enable TCP Segmentation Offload support for a virtual machine
In order to enable TSO you must used enhanced vmxnet adapters, thus limiting supported OS which include…
  • RedHat Enterprise Linux 4 (64bit)
  • RedHat Enterprise Linux 5 (32 and 64 bit)
  • Windows Server 2003 Enterprise SP2 (32 and 64 bit)
  • SUSE Enterprise Linux 10 (32 and 64 Bit)

TSO is enabled on the vmkernel interface by default, but must be configured on a per VM level.  As far as I can tell you just need to simply add the vmxnet adapter in order to support TSO.

Enable Jumbo Frames support on appropriate components
Jumbo Frames allow a host to send larger frames (up to 9k) out on the network, but must be configured all throughout the network.  Jumbo Frames is enabled on the vSS and vDS by simply setting the Max MTU to 9000 on the port groups.
Inside the VM you must install the VMXNET 3 adapter and enabled Jumbo Frames from within the OS itself.
Determine appropriate VLAN configuration for a vSphere implementation
Use External Switch Tagging, Virtual Switch Tagging, and Virtual Machine Tagging.  Know the differences between these.  Also, know the configuration of pvlans.  It all depends on the environment 😉  This is a hard one to document.


5 thoughts on “VCP 5 – Objective 2.3 – Configure vSS and vDS Policies

  1. Great post just a small correction – i think the burst size is just Kb and not Kbs as its the max amount of data that can be transfered. These definitions from VMwares site might also be worth pasting in..

    Average Bandwidth: Target traffic rate cap that the switch tries to enforce. Every time a client uses less than the defined Average Bandwidth, credit builds up.

    Peak Bandwidth: Extra bandwidth available, above the Average Bandwidth, for a short burst. The availability of the burst depends on credit accumulated so far.

    Burst Size: Amount of traffic that can be transmitted or received at Peak speed (Combining Peak Bandwidth and Burst Size you can calculate the maximum allowed time for the burst.

  2. another one –  the vSS traffic shaping policy is egress i.e. outbound but you state it inbound in the first secttion.
     (you correctly state it lateron). Hope you dont think im being picky just using your material to study thought it would help if i correct any mistakes on the way in return…

  3. Thanks for pointing out the mistakes!  I’ve corrected them…I’ll have to update the pdf sometime!  Thanks again!

Leave a Reply

Your email address will not be published. Required fields are marked *