VMware Virtual Networking Concepts
INFORMATIONVMware Virtual Networking ConceptsGUIDE
VMware INFORMATION GUIDETable of ContentsIntroduction. 3ESX Server Networking Components. 3How Virtual Ethernet Adapters Work. 4How Virtual Switches Work. 4A Virtual Switch is Similar to a Physical Switch. 4A Virtual Switch is Different from a Physical Switch. 5Spanning Tree Protocol Not Needed. 5Virtual Switch Isolation. 5Virtual Ports. 5Uplink Ports. 6Port Groups. 6Uplinks. 6Virtual Switch Correctness. 7VLANs in VMware Infrastructure. 7NIC Teaming. 8Load Balancing. 8Failover Configurations. 9Layer 2 Security Features. 10Managing the Virtual Network. 10Appendix: Virtual Device Maximums. 11
VMware INFORMATION GUIDEVMware Virtual Networking ConceptsIntroductionIn addition, virtual networks enable functionality not possiblewith physical networks today.VMware Infrastructure 3 provides a rich set of networkingcapabilities that integrate well with sophisticated enterprisenetworks. These networking capabilities are provided byVMware ESX Server and managed by VMware VirtualCenter.With virtual networking, you can network virtual machines inthe same way that you do physical machines and can buildcomplex networks within a single ESX Server host or acrossmultiple ESX Server hosts, for production deployments or development and testing purposes.Virtual switches allow virtual machines on the same ESX Serverhost to communicate with each other using the same protocolsthat would be used over physical switches, without the needfor additional networking hardware. ESX Server virtual switchesalso support VLANs that are compatible with standard VLANimplementations from other vendors.A virtual machine can be configured with one or more virtualEthernet adapters, each of which each has its own IP addressand MAC address. As a result, virtual machines have the sameproperties as physical machines from a networking standpoint.This guide is for VMware Infrastructure 3 users who want aclearer understanding of the basic design of the networkingcapabilities in VMware Infrastructure 3 and how that designaffects deployment in the datacenter.VMware Infrastructure NetworkingComponentsThe VMware Infrastructure 3 networking stack uses a modulardesign for maximum flexibility.The key virtual networking components provided by VirtualInfrastructure 3 are virtual Ethernet adapters, used by individualvirtual machines, and virtual switches, which connect virtualmachines to each other and connect both virtual machines andthe ESX Server service console to external networks, as shownin Figure 1.The sections that follow provide more detail about each ofthese consoleVirtualEthernetadaptersESX Server LANProductionLANManagementLANFigure 1 — Virtual switches in ESX Server 3 connect virtual machines and the service console to each other and to external networks.
VMware INFORMATION GUIDEHow Virtual Ethernet Adapters WorkHow Virtual Switches WorkIn discussions of VMware Infrastructure 3, you may see references to as many as five different virtual network adapters.Three of those are virtual Ethernet adapters used by virtualmachines. In most cases, a virtual machine uses only one of thethree types of virtual adapters. The three types of adapters available for virtual machines are:Virtual switches are the key networking components in VMwareInfrastructure 3. You can create up to 248 virtual switches oneach ESX Server 3 host. vmxnet — a paravirtualized device that works only if VMwareTools is installed in the guest operating system. A paravirtualized device is one designed with specific awareness that itis running in a virtualized environment. The vmxnet adapteris designed for high performance. In most cases, when youselect the flexible network adapter, this is the adapter usedafter VMware Tools is installed in the guest operating system. vlance — a virtual device that provides strict emulation of theAMD Lance PCNet32 Ethernet adapter. It is compatible withmost 32-bit guest operating systems. This adapter is usedwhen you select the flexible network adapter but VMwareTools is not installed in the guest operating system. e1000 — a virtual device that provides strict emulation ofthe Intel E1000 Ethernet adapter. This is the virtual Ethernetadapter used in 64-bit virtual machines. It is also available in32-bit virtual machines.The other virtual network adapters are: vswif — a paravirtualized device similar to vmxnet that isused only by the ESX Server service console. vmknic — a virtual device in the VMkernel, the softwarelayer that manages most of the physical resources on theESX Server host. The vmknic is used by the TCP/IP stack thatservices VMotion, NFS and software iSCSI clients that run atthe VMkernel level, and remote console traffic.All five of the virtual network devices share the following characteristics: They have their own MAC addresses and unicast/multicast/broadcast filters. They are strictly Layer 2 Ethernet adapter devices.Note: The speed and duplex settings found in physicalnetworking are not relevant in the virtual network, becauseall the data transfer takes place in the host system’s RAM,nearly instantaneously and without the possibility of collisions or other signaling-related errors.A virtual switch is “built to order” at run time from a collection ofsmall functional units. Some of the key functional units are: The core Layer 2 forwarding engine.This is a key part of the system (for both performance andcorrectness), and in Virtual Infrastructure 3 it is simplified soit only processes Layer 2 Ethernet headers. It is completelyindependent of other implementation details, such as differences in physical Ethernet adapters and emulation differencesin virtual Ethernet adapters. VLAN tagging, stripping, and filtering units. Layer 2 security, checksum, and segmentation offload units.This modular approach has become a basic principle to befollowed in future development, as well.When the virtual switch is built at run time, ESX Server 3 loadsonly those components it needs. It installs and runs only whatis actually needed to support the specific physical and virtualEthernet adapter types used in the configuration. This meansthe system pays the lowest possible cost in complexity anddemands on system performance.The design of ESX Server 3 supports temporarily loading certaincomponents in the field — a capability that could be used, forexample, for running appropriately designed diagnostic utilities.An additional benefit of the modular design is that VMwareand third-party developers can easily incorporate modules toenhance the system in the future.In many ways, the ESX Server virtual switches are similar tophysical switches. In some notable ways, they are different.Understanding these similarities and differences will help youplan the configuration of your virtual network and its connections to your physical network.A Virtual Switch Is Similar to a Physical SwitchA virtual switch, as implemented in ESX Server 3, works in muchthe same way as a modern Ethernet switch.It maintains a MAC:port forwarding table and performs the following functions: Looks up each frame’s destination MAC when it arrives. Forwards a frame to one or more ports for transmission. Avoids unnecessary deliveries (in other words, it is not a hub).
VMware INFORMATION GUIDEAn ESX Server 3 virtual switch supports VLAN segmentation atthe port level. This means each port can be configured in eitherof the following ways: Because there is no need to cascade virtual switches, VirtualInfrastructure 3 provides no capability to connect virtualswitches. With access to a single VLAN, making it what's called anaccess port in the world of physical switches, or in ESX Serverterminology, using virtual switch tagging. Because there is no way to connect virtual switches, there isno need to prevent bad virtual switch connections. With access to multiple VLANs, leaving tags intact, making itwhat's called a trunk port in the world of physical switches, orin ESX Server terminology, using virtual guest tagging.For more information on these options, see the section VLANsin VMware Infrastructure on page 7.An ESX Server 3 virtual switch supports copying packets to amirror port. By using what is called promiscuous mode, ESXServer makes a virtual switch port act as a SPAN port or mirrorport. This capability makes it possible to debug using a sniffer orto run monitoring applications such as IDS.In addition, an administrator can manage many configurationoptions for the switch as a whole and for individual ports usingthe Virtual Infrastructure Client.A Virtual Switch Is Different from a Physical SwitchESX Server provides a direct channel from virtual Ethernetadapters for such configuration information as authoritative MAC filter updates. So there is no need to learn unicastaddresses or perform IGMP snooping to learn multicast groupmembership.Ports on the virtual switch may automatically enter mirrormode when the virtual Ethernet adapter's promiscuous bitis set — if virtual switch and port group policies allow.Spanning Tree Protocol Not NeededVMware Infrastructure 3 enforces a single-tier networkingtopology. In other words, there is no way to interconnectmultiple virtual switches, thus the network cannot be configured to introduce loops. As a result, Spanning Tree Protocol(STP) is not needed and is not present.Note: It is actually possible, with some effort, to introducea loop with virtual switches. However, to do so, you mustrun Layer 2 bridging software in a guest with two virtualEthernet adapters connected to the same subnet. Thiswould be difficult to do accidentally, and there is no reasonto do so in typical configurations.Virtual Switch IsolationNetwork traffic cannot flow directly from one virtual switch toanother virtual switch within the same host. Virtual switchesprovide all the ports you need in one switch, leading to the following benefits: Because virtual switches cannot share physical Ethernetadapters, there is no way to fool the Ethernet adapter intodoing loopback or some similar configuration that wouldcause a leak between virtual switches.In addition, each virtual switch has its own forwarding table,and there is no mechanism to allow an entry in one table topoint to a port on another virtual switch. In other words, everydestination the switch looks up can match only ports on thesame virtual switch as the port where the frame originated,even if other virtual switches’ lookup tables contain entries forthat address.It is unlikely that a would-be attacker could circumvent virtualswitch isolation because it would be possible only if there werea substantial unknown security flaw in the vmkernel. BecauseESX Server parses so little of the frame data — primarily just theEthernet header — this would be difficult, and once an attackerhad such access, richer targets than breaking virtual switch isolation are readily available.There are natural limits to this isolation. If you connect theuplinks of two virtual switches together, or if you bridge twovirtual switches with software running in a virtual machine, youopen the door to the same kinds of problems you might see inphysical switches.Virtual PortsThe ports on a virtual switch provide logical connection pointsamong virtual devices and between virtual and physicaldevices. You can think of them as virtual RJ-45 connectors. Eachvirtual switch can have up to 1,016 virtual ports, with a limit of4,096 ports on all virtual switches on a host.The virtual ports in ESX Server provide a rich control channel forcommunication with the virtual Ethernet adapters attached tothem. ESX Server virtual ports: Know authoritatively what the configured receive filters arefor virtual Ethernet adapters attached to them. This means noMAC learning is required to populate forwarding tables. Unlike physical switches, know authoritatively the “hard”configuration of the virtual Ethernet adapters attached tothem. This capability makes it possible to set such policies as“guest can’t change MAC address,” because the virtual switchport can essentially know for sure what is “burned into ROM”(actually, stored in the configuration file, outside control ofthe guest operating system).
VMware INFORMATION GUIDEUplink PortsUplink ports are ports associated with physical adapters, providing a connection between a virtual network and a physicalnetwork. Physical adapters connect to uplink ports when theyare initialized by a device driver or when the teaming policiesfor virtual switches are reconfigured.Some virtual switches should not connect to a physical networkand thus have no uplink port, as shown in Figure 2. This is thecase, for example, for a virtual switch that provides connectionsbetween a firewall virtual machine and the virtual machinesprotected by the firewall.Virtual Ethernet adapters connect to virtual ports when youpower on the virtual machine on which the adapters are configured, when you take an explicit action to connect the device,or when you migrate a virtual machine using VMotion.A virtual Ethernet adapter updates the virtual switch port withMAC filtering information when it is initialized and whenever itchanges.A virtual port may ignore any requests from the virtual Ethernetadapter that would violate the Layer 2 security policy in effectfor the port. For example, if MAC spoofing is blocked, the portdrops any packets that violate this rule.Port GroupsAs important as they are in VMware Infrastructure virtual networking, port groups do not correspond exactly to featurescommonly found in physical networks. The closest counterpartis the SmartPort feature offered in some Cisco switches. You canthink of port groups as templates for creating virtual ports withparticular sets of specifications. You can create a maximum of512 port groups on a single re 2 — Virtual switches in ESX Server 3 can be configured with uplink portsor with no uplink port. Port groups are important particularly for VMotion. To understand why, consider what happens as virtual machines migrateto new hosts using VMotion.Port groups make it possible to specify that a given virtualmachine should have a particular type of connectivity on everyhost on which it might run.Port groups are user-named objects that contain enough configuration information to provide persistent and consistent networkaccess for virtual Ethernet adapters: Virtual switch name VLAN IDs and policies for tagging and filtering Teaming policy Layer 2 security options Traffic shaping parametersIn short, port group definitions capture all the settings for aswitch port. Then, when you want to connect a virtual machineto a particular kind of port, you simply specify the name of aport group with an appropriate definition.Port groups may specify different host-level parameters on different hosts — teaming configurations, for example. But the keyelement is that the result is a consistent view of the network fora virtual machine connected to that port group, whichever hostis running it.Note: Port groups do not necessarily correspond one-to-one toVLAN groups. It is possible, and even reasonable, to assign thesame VLAN ID to multiple port groups. This would be usefulif, for example, you wanted to give different groups of virtualmachines different physical Ethernet adapters in a NIC team foractive use and for standby use, while all the adapters are on thesame VLAN.UplinksPhysical Ethernet adapters serve as bridges between virtualand physical networks. In VMware Infrastructure, they are calleduplinks, and the virtual ports connected to them are calleduplink ports. A single host may have a maximum of 32 uplinks,which may be on one switch or distributed among a number ofswitches.In order for a virtual switch to provide access to more thanone VLAN, the physical switch ports to which its uplinks areconnected must be in trunking mode. It is important to prunethe VLANs, keeping only those that are required for the virtualswitch. Failure to do so can cause unnecessary overhead on theESX Server host because it must process broadcast traffic for allVLANs trunked to it.You should prune VLANs at the physical switch level, butpruning at the physical switch cannot be quite as aggressive aspruning at the uplink because the virtual switch knows which
VMware INFORMATION GUIDEvirtual machines are actually powered on. As a result, the virtualswitch may be able to prune VLANs that are needed but are notin use at the time you are pruning.You can specify different teaming behavior for different groupsof virtual machines that share the same team of physicaladapters. For example, you can vary the active/standby status ofeach adapter in the team across port groups to get both goodlink aggregation and failover behavior. For more information onteaming, see NIC Teaming on page 8.Teaming state — which physical Ethernet adapters are actuallytransporting data — is maintained for each port group.Teaming state transitions are mostly transparent to virtualEthernet adapters. Virtual machines cannot tell when a failoverhas occurred or which physical adapter is carrying any givenframe. When the transition removes or restores actual accessto a physical network — that is, when the last link goes downor the first link comes up — the network visibility change isapparent to guests.Uplinks are not required for a virtual switch to forward trafficlocally. Virtual Ethernet adapters on the same virtual switch cancommunicate with each other even if no uplinks are present.If uplinks are present, they are not used for local communications within a virtual switch.When VLANs are configured, ports must be on the same VLANin order to communicate with each other. The virtual switchdoes not allow traffic to pass from one VLAN to another.Communication between VLANs is treated the same as communication between virtual switches — it is not allowed. If youdo want communication between two VLANs or two virtualswitches, you must configure an external bridge or router toforward the frames.Virtual Switch CorrectnessTwo correctness issues are particularly important.It is important to ensure that virtual machines or other nodeson the network canno
clearer understanding of the basic design of the networking capabilities in VMware Infrastructure and how that design affects deployment in the datacenter. VMware Infrastructure Networking Components The VMware Infrastructure networking stack uses a modular design for maximum flexibility. The key virtual networking components provided by Virtual
2.7 VMware vCenter Support Assistant 22 2.8 VMware Continuent 23 2.9 VMware Hyper-Converged Infrastructure Kits 23 2.10 VMware Site Recovery Manager 23 2.11 VMware NSX 24 2.12 VMware NSX Advanced Load Balancer 28 2.13 VMware SD-WAN by VeloCloud 29 2.14 VMware Edge Network Intelligence 30 2.15 VMware NSX Firewall 30
VMware ESX Server uses a virtual disk file format different from the format used by VMware products that run on a host operating system—such as VMware GSX Server, VMware Server, VMware Player, VMware Workstation, and VMware Fusion. As a result, when you move a virtual machine from a system
the VMware Hybrid Cloud Native VMware management tools extend on-prem services across VMware Hybrid Cloud vRealize adapters allow "first class citizen" status for VMware Cloud on AWS Leverage same in-house VMware tools and processes across VMware Hybrid Cloud Support the cloud agility strategy of the organisation without disruption
8. Install VMware Fusion by launching the “Install VMware Fusion.pkg”. 9. Register VMware Fusion when prompted and configure preferences as necessary. 10. Quit VMware Fusion. Create a VMware Fusion Virtual Machine package with Composer 1. Launch VMware Fusion from /Applications. 2. Cre
VMware vRealize Automation Advanced 5 Virtual Machine or OSI VMware vRealize Automation Enterprise 8 Virtual Machine or OSI VMware vRealize Business for Cloud Advanced 2 1 GB Reserved RAM (based on average monthly usage) VMware vRealize Business Enterprise Foundation Package ** 5,833 10 Users VMware vRealize Business Enterprise for
Virtual VMware vCenter server enhancements: VMware vCenter Single Sign-On (SSO) and VMware vSphere Web Client, Server Appliance, App High Availability (HA), High Availability (HA), Distributed Resource Scheduler (DRS), and Big Data Extensions) VMware vSphere storage enhancements: Support for 62 terabytes (TB) of VMware Virtual Machine Disk
VMware, Inc. 9 About ThisBook The Guest Operating System Installation Guide provides users of VMware ESX Server, VMware GSX Server, VMware Server, VMware ACE, VMware Workstation, and VMware Fusion information about installing guest operating systems in
The Element Encyclopedia of Secret Signs and Symbols The Ultimate A-Z Guide from Alchemy to the Zodiac Adele Nozedar. For Adam and for the seven secrets ‘In every grain of sand there lies Hidden the soil of a star’ Arthur Machen ‘I do not need a leash or a tie To lead me astray In the land where dreams lie’ Yoav In Nature’s temple, living pillars rise Speaking sometimes in words of .
