Knowledge
- Identify VMware NIC Teaming policies
- Identify common network protocols
Skills and Abilities
- Understand the NIC Teaming failover types and related physical network settings
- Determine and apply Failover settings
- Configure explicit failover to conform with VMware best practices
-
Configure port groups to properly isolate network traffic
Understand the NIC Teaming failover types and related physical network settings
Official Documentation:
vSphere Networking, Chapter 5 “Networking Policies”, Section “Load balancing and Failover policies”, page 45
Load Balancing and Failover Policy
Load balancing and failover policies allow you to determine how network traffic is distributed between adapters and how to re-route traffic in the event of adapter failure.
You can edit your load balancing and failover policy by configuring the following parameters:
- Load Balancing policy determines how outgoing traffic is distributed among the network adapters associated with a switch or port group.
NOTE Incoming traffic is controlled by the load balancing policy on the physical switch.
- Failover Detection controls the link status and beacon probing. Beaconing is not supported with guest VLAN tagging.
- Network Adapter Order can be active or standby.
Edit Failover and Load Balancing Policy for a vSphere Standard Switch
Use Load Balancing and Failover policies to determine how network traffic is distributed between adapters and how to reroute traffic in the event of an adapter failure.
The Failover and Load Balancing policies include the following parameters:
- Load Balancing policy: The Load Balancing policy determines how outgoing traffic is distributed among the network adapters assigned to a standard switch. Incoming traffic is controlled by the Load Balancing policy on the physical switch.
- Failover Detection: Link Status/Beacon Probing
- Network Adapter Order (Active/Standby)
In some cases, you might lose standard switch connectivity when a failover or failback event occurs. This causes the MAC addresses used by virtual machines associated with that standard switch to appear on a different
switch port than they previously did. To avoid this problem, put your physical switch in portfast or portfast trunk mode.
Procedure
- Log in to the vSphere Client and select the server from the inventory panel. The hardware configuration page for this server appears.
- Click the Configuration tab and click Networking.
- Select a standard switch and click Edit.
- Click the Ports tab.
- To edit the Failover and Load Balancing values, select the standard switch item and click Properties.
- Click the NIC Teaming tab.
You can override the failover order at the port group level. By default, new adapters are active for all policies. New adapters carry traffic for the standard switch and its port group unless you specify otherwise. - In the Load Balancing list, select an option for how to select an uplink.
| Option | Description |
| Route based on the originating portID | Select an uplink based on the virtual port where the traffic entered thestandard switch. |
| Route based on ip hash | Select an uplink based on a hash of the source and destination IP addressesof each packet. For non-IP packets, whatever is at those offsets is used tocompute the hash. |
| Route based on source MAC hash | Select an uplink based on a hash of the source Ethernet. |
| Use explicit failover order | Always use the highest order uplink from the list of Active adapters thatpasses failover detection criteria. |
- In the Network failover detection list, select the option to use for failover detection.
| Option | Description |
| Link Status only | Relies solely on the link status that the network adapter provides. This optiondetects failures, such as cable pulls and physical switch power failures, butnot configuration errors, such as a physical switch port being blocked by
spanning tree or misconfigured to the wrong VLAN or cable pulls on the other side of a physical switch. |
| Beacon Probing | Sends out and listens for beacon probes on all NICs in the team and uses thisinformation, in addition to link status, to determine link failure. This optiondetects many of the failures mentioned above that are not detected by link
status alone. NOTE Do not use beacon probing with IP-hash load balancing. |
- Select Yes or No to notify switches in the case of failover.
If you select Yes, whenever a virtual NIC is connected to the standard switch or whenever that virtual NIC’s traffic is routed over a different physical NIC in the team because of a failover event, a notification is sent over the network to update the lookup tables on the physical switches. In almost all cases, this is desirable for the lowest latency of failover occurrences and migrations with vMotion.
Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing (NLB) in unicast mode. No such issue exists with NLB running in multicast mode. - Select Yes or No to disable or enable failback.
This option determines how a physical adapter is returned to active duty after recovering from a failure. If failback is set to Yes, the adapter is returned to active duty immediately on recovery, displacing the standby adapter that took over its slot, if any. If failback is set to No, a failed adapter is left inactive even after recovery until another active adapter fails, requiring its replacement. - Set Failover Order to specify how to distribute the work load for adapters.
To use some adapters but reserve others for emergencies, you can set this condition using the drop-down menu to place them into groups.
| Option | Description |
| Active Adapters | Continue to use the adapter when the network adapter connectivity isavailable and active. |
| Standby Adapters | Use this adapter if one of the active adapter’s connectivity is unavailable. |
| Unused Adapters | Do not use this adapter. |
If you are using iSCSI Multipathing, your VMkernel interface must be configured to have one active adapter and no standby adapters. See the vSphere Storage documentation.
NOTE When using IP-hash load balancing, do not configure standby uplinks.
Edit the Failover and Load Balancing Policy on a Standard Port Group
Failover and load balancing policies allow you to determine how network traffic is distributed between adapters and how to re-route traffic in the event of an adapter failure.
Procedure
- Log in to the vSphere Client and select the host from the inventory panel.
- Click the Configuration tab and click Networking.
- Select a port group and click Edit.
- In the Properties dialog box, click the Ports tab.
- To edit the Failover and Load Balancing values for the port group, select the port group and click Properties.
- Click the NIC Teaming tab.
You can override the failover order at the port-group level. By default, new adapters are active for all policies. New adapters carry traffic for the standard switch and its port group unless you specify otherwise. - Specify the settings in the Policy Exceptions group.
| Option | Description |
| Load Balancing | Specify how to choose an uplink.
NOTE IP-based teaming requires that the physical switch be configured with etherchannel. For all other options, etherchannel should be disabled. |
| Network Failover Detection | Specify the method to use for failover detection.
|
| Notify Switches | Select Yes or No to notify switches in the case of failover.If you select Yes, whenever a virtual NIC is connected to the standard switch or whenever that virtual NIC’s traffic would be routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. In almost all cases, this process is desirable for the lowest latency of failover occurrences and migrations with vMotion.NOTE Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode. No such issue exists with NLB running in multicast mode. |
| Failback | Select Yes or No to disable or enable failback.This option determines how a physical adapter is returned to active duty after recovering from a failure. If failback is set to Yes (default), the adapter is returned to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any. If failback is set to No, a failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement. |
| Failover Order | Specify how to distribute the work load for uplinks. If you want to use some uplinks but reserve others for emergencies in case the uplinks in use fail, set this condition by moving them into different groups:
|
- Click OK.
Edit the Teaming and Failover Policy on a Distributed Port Group
Teaming and Failover policies allow you to determine how network traffic is distributed between adapters and how to re-route traffic in the event of an adapter failure.
Procedure
- Log in to the vSphere Client and select the Networking inventory view.
- Right-click the distributed port group in the inventory pane, and select Edit Settings.
- Select Policies.
- In the Teaming and Failover group specify the following.
| Option | Description |
| Load Balancing | Specify how to choose an uplink.
NOTE IP-based teaming requires that the physical switch be configured with etherchannel. For all other options, etherchannel should be disabled. |
| Network Failover Detection | Specify the method to use for failover detection.
NOTE Do not use beacon probing with IP-hash load balancing. |
| Notify Switches | Select Yes or No to notify switches in the case of failover.If you select Yes, whenever a virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic would be routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. In almost all cases, this process is desirable for the lowest latency of failover occurrences and migrations with vMotion.NOTE Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode. No such issue exists with NLB running in multicast mode. |
| Failback | Select Yes or No to disable or enable failback.This option determines how a physical adapter is returned to active duty after recovering from a failure. If failback is set to Yes (default), the adapter is returned to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any. If failback is set to No, a failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement. |
| Failover Order | Specify how to distribute the work load for uplinks. If you want to use some uplinks but reserve others for emergencies in case the uplinks in use fail, set this condition by moving them into different groups:
NOTE When using IP-hash load balancing, do not configure standby uplinks. |
- Click OK.
Edit Distributed Port Teaming and Failover Policies
Teaming and Failover policies allow you to determine how network traffic is distributed between adapters and how to re-route traffic in the event of an adapter failure.
Procedure
- Log in to the vSphere Client and select the Networking inventory view.
- Select the vSphere distributed switch in the inventory pane.
- On the Ports tab, right-click the port to modify and select Edit Settings.
- Click Policies to view and modify port networking policies.
- In the Teaming and Failover group, specify the following.
| Option | Description |
| Load Balancing | Specify how to choose an uplink.
NOTE IP-based teaming requires that the physical switch be configured with etherchannel. For all other options, etherchannel should be disabled. |
| Network Failover Detection | Specify the method to use for failover detection.
NOTE Do not choose beacon probing with IP-hash load balancing. |
| Notify Switches | Select Yes or No to notify switches in the case of failover.If you select Yes, whenever a virtual NIC is connected to the vSphere distributed switch or whenever that virtual NIC’s traffic would be routed over a different physical NIC in the team because of a failover event, a notification is sent out over the network to update the lookup tables on physical switches. In almost all cases, this process is desirable for the lowest latency of failover occurrences and migrations with vMotion.NOTE Do not use this option when the virtual machines using the port group are using Microsoft Network Load Balancing in unicast mode. No such issue exists with NLB running in multicast mode. |
| Failback | Select Yes or No to disable or enable failback.This option determines how a physical adapter is returned to active duty after recovering from a failure. If failback is set to Yes (default), the adapter is returned to active duty immediately upon recovery, displacing the standby adapter that took over its slot, if any. If failback is set to No, a failed adapter is left inactive even after recovery until another currently active adapter fails, requiring its replacement. |
| Failover Order | Specify how to distribute the work load for uplinks. If you want to use some uplinks but reserve others for emergencies in case the uplinks in use fail, set this condition by moving them into different groups:
|
- Click OK.
Determine and apply Failover settings
Official Documentation:
vSphere Networking, Chapter 5 “Networking Policies”, Section “Load balancing and Failover policies”, page 45
See previous objective.
Configure explicit failover to conform with VMware best practices
Official Documentation:
vSphere Networking, Chapter 8 “Networking Best Practices”, page 77
Networking Best Practices
Consider these best practices when you configure your network.
- Separate network services from one another to achieve greater security and better performance.
Put a set of virtual machines on a separate physical NIC. This separation allows for a portion of the total networking workload to be shared evenly across multiple CPUs. The isolated virtual machines can then better serve traffic from a Web client, for example
- Keep the vMotion connection on a separate network devoted to vMotion. When migration with vMotion occurs, the contents of the guest operating system’s memory is transmitted over the network. You can do this either by using VLANs to segment a single physical network or by using separate physical networks (the latter is preferable).
- When using passthrough devices with a Linux kernel version 2.6.20 or earlier, avoid MSI and MSI-X modes because these modes have significant performance impact.
- To physically separate network services and to dedicate a particular set of NICs to a specific network service, create a vSphere standard switch or vSphere distributed switch for each service. If this is not possible, separate network services on a single switch by attaching them to port groups with different VLAN IDs. In either case, confirm with your network administrator that the networks or VLANs you choose are isolated in the rest of your environment and that no routers connect them.
- You can add and remove network adapters from a standard or distributed switch without affecting the virtual machines or the network service that is running behind that switch. If you remove all the running hardware, the virtual machines can still communicate among themselves. If you leave one network adapter intact, all the virtual machines can still connect with the physical network.
- To protect your most sensitive virtual machines, deploy firewalls in virtual machines that route between virtual networks with uplinks to physical networks and pure virtual networks with no uplinks.
- For best performance, use vmxnet3 virtual NICs.
- Every physical network adapter connected to the same vSphere standard switch or vSphere distributed switch should also be connected to the same physical network.
- Configure all VMkernel network adapters to the same MTU. When several VMkernel network adapters are connected to vSphere distributed switches but have different MTUs configured, you might experience network connectivity problems.
Configure port groups to properly isolate network traffic
Official Documentation:
vSphere Networking, Chapter 8″Networking Best Practices”, page 77
See previous objective.
More information
Scott Drummonds Blog: http://vpivot.com/2011/03/03/virtual-network-best-practices-aggregation/
The Foglite Blog: http://thefoglite.com/2012/06/04/isolating-network-traffic-using-port-groups/
Other exam notes
- The Saffageek VCAP5-DCA Objectives http://thesaffageek.co.uk/vcap5-dca-objectives/
- Paul Grevink The VCAP5-DCA diaries http://paulgrevink.wordpress.com/the-vcap5-dca-diaries/
- Edward Grigson VCAP5-DCA notes http://www.vexperienced.co.uk/vcap5-dca/
- Jason Langer VCAP-DCA notes http://www.virtuallanger.com/vcap-dca-5/
- The Foglite VCAP5-DCA notes http://thefoglite.com/vcap-dca5-objective/
VMware vSphere official documentation
| VMware vSphere Basics Guide | html | epub | mobi | |
| vSphere Installation and Setup Guide | html | epub | mobi | |
| vSphere Upgrade Guide | html | epub | mobi | |
| vCenter Server and Host Management Guide | html | epub | mobi | |
| vSphere Virtual Machine Administration Guide | html | epub | mobi | |
| vSphere Host Profiles Guide | html | epub | mobi | |
| vSphere Networking Guide | html | epub | mobi | |
| vSphere Storage Guide | html | epub | mobi | |
| vSphere Security Guide | html | epub | mobi | |
| vSphere Resource Management Guide | html | epub | mobi | |
| vSphere Availability Guide | html | epub | mobi | |
| vSphere Monitoring and Performance Guide | html | epub | mobi | |
| vSphere Troubleshooting | html | epub | mobi | |
| VMware vSphere Examples and Scenarios Guide | html | epub | mobi |
Disclaimer.
The information in this article is provided “AS IS” with no warranties, and confers no rights. This article does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.
