ESXi Network Concepts | VMware Administration Essentials
Critically important to the configuration of any ESXi environment is the proper configuration of host networking. Generally, host networks include storage, vMotion, VM, and management networks. These are generally the basic networks configured in order to have a functioning ESXi cluster that is integrated with the vCenter server.
In this post, we will take a look at the ESXi Network concepts that are essential to understand before we move on to the actual configuration of the ESXi network mentioned above.
ESXi Network Concepts
Virtual Switches (vSwitches)
The key component to data being moved around between VMs in VMware virtualization world is a vSwitch. A vSwitch is exactly that – a virtual switch. Though it is not a hardware device, the virtual switch passes traffic using the same concepts found in the OSI networking model as physical switches do. In other words, layer 2 frames (OSI data link layer) enter and exit the vSwitch much as they would a physical switch.
The difference in the vSwitch and the physical switch networking in the VMware world is that the vSwitch does not keep a table of MAC addresses for devices that it does not directly know about as does a physical switch. It only knows and cares about the MAC addresses for VMs and VMkernel port devices that are directly connected to the virtual switch. The vSwitch will not flood unknown frames out all ports. Unknown frames are simply dropped by the vSwitch. Unknown MAC address destinations originating from a VM connected to the vSwitch are sent to the vSwitch physical uplink.
vSwitch Types
In vSphere, there are two types of switches that can be provisioned, the standard vSwitch or SVS, and Distributed vSwitch or DVS. The Distributed vSwitch requires Enterprise Plus licensing to be made available and is configured at the vCenter level. For the purposes of this essentials post, we will be using Standard vSwitches since they span the full range of licensed offerings from VMware and they don’t require vCenter server.
Virtual ports
Virtual ports on the vSwitch act like the ports on a physical switch. Each VM that is configured with a virtual network adapter uses one of these virtual ports on the vSwitch. Also, there are VMkernel ports, which are a special kind of ports that talk directly to the ESXi host’s VMkernel and are required to make storage, vMotion, and management network traffic possible.
Physical Uplinks
Virtual Switch traffic is uplinked on each ESXi host by the physical network cards in the ESXi host that are bound to that vSwitch in VMware. This provides the traffic path for traffic entering and exiting the vSwitch. The real physical interface on the ESXi host is mapped to a vmnic in ESXi. These mappings can be seen when managing the networking adapters on the ESXi host.
Notice the physical adapters assigned to the vSwitches.
Port Groups
Port groups allow us to logically carve up our virtual ports that are available on a particular vSwitch. We can apply traffic policy rules at the port group level – security rules and traffic shaping. Port groups are where we can also assign VLANs to our traffic. Below, take note of a configured port group called “TestPortGroup”.
VLANs
VLANs are virtual networks based on the IEEE 802.1Q standard that logically separate traffic over the same physical infrastructure. VLANs allow for segmenting networks into different pieces without having to physically separate networks. This is made possible by an additional VLAN tag being sent within the Ethernet frame header which identifies which VLAN the traffic belongs to. Often, this is done for security and performance reasons. As the network becomes larger, broadcast traffic can grow exponentially. VLANs segment broadcast domains so that unwanted broadcast traffic is contained within a logical network.
On the security side of things, if we want to make sure that certain traffic is inaccessible from other parts of the network, we can assign that traffic to its own VLAN which isolates it from other VLANs on the production network allowing us to segment sensitive or private traffic from regular production traffic.
Going back to our vSwitch, there are three ways we can set VLAN tags – virtual switch tagging (VST), virtual guest tagging (VGT), or external switch tagging (EST).
Setting VLAN tags at the port group level is known as virtual switch tagging or VST. This means we set the VLAN tag at the vSwitch level on the port group. So, our vSwitch is managing VLAN tags. This is perhaps the easiest and preferred way to introduce VLANs into the virtual environment.
Setting VLAN tags on our physical switch is called external switch tagging or EST. The physical switch is responsible for managing VLAN tags. In many VMware environments, if you have a dedicated storage switch, the ports will be set in untagged mode meaning the physical switch is doing all of the tagging operations and the virtual switch is not aware of this. This is known as External Switch Tagging or EST.
The least common use case is virtual guest tagging or VST. It allows the virtual guest VM to tag traffic and pass this along to the vSwitch which then passes the VLAN-tagged frame up to the physical switch.
vCenter Server
What is VMware vCenter exactly? VMware’s vCenter product is the core product required to turn on the enterprise features. This includes, but isn’t limited to the following:
- Centralized management including Single Sign On (SSO) authentication
- Centralized permissions management
- Centralized logging of tasks events
- Resource management
- Central location to perform management and administrative tasks across ESXi hosts
- High Availability
- Distributed Resource Scheduling
- Fault Tolerance
- Centralized updating via the update manager
***Note*** VCenter server is also needed to unlock additional modules that one may wish to take advantage of in the VMware ecosystem such as VMware NSX, VSAN, and others.
