By Keith Kessinger, Associate Site Editor
In a VMware environment, networking can be tricky, especially in large, complex infrastructures. But a strong network
Server virtualization destroys traditional data center models, in which servers are treated as islands. In doing so, it also complicates data center networking, because it extends a network to virtual hosts. A VMware virtual network can pose several technology-based drawbacks, including less visibility into network traffic and network manageability challenges. And a network architecture can blur the roles and responsibilities of data center personnel, which can create technical and political problems.
The answers to these frequently asked questions about VMware networking will help you understand vSphere's network architecture, features and pain points and offer some VMware networking strategies.
Which vSphere features offer new functionality for VMware networking?
There are several new vSphere networking features:
- Private VLANs: control data access and visibility on virtual switches (vSwitches). Private VLANs serve as firewalls on LANs, and they prevent breaches from outside sources.
- Support for new virtual network interface cards: VSphere 4 supports VMXNET3 -- a third-generation, high-performance virtual network interface card (NIC).
- Support for IPv6: a networking standard that resolves the increasing scarcity of numerical IPv4 addresses. Now vSphere 4 hosts are identifiable through iPv6 hexadecimal addresses.
Other VMware networking features (PDF) include support for third-party virtual switches, network vMotion and bidirectional traffic shaping.
When it comes to security, what are good VMware networking strategies?
There are several ways to protect a VMware network. VMware vShield Zones is a virtual firewall that protects virtual machines (VMs), vSwitches and network traffic. It also analyzes traffic to troubleshoot and detect suspicious activity.
VMware has also added new vShield security features with vShield App and vShield Edge. VShield Edge is a routing virtual firewall built on the VMsafe application programming interface, and VShield App provides cross-host isolation at the application level. With vShield App, administrators can prevent designated groups from communicating with specific machines.
There are also many third-party security tools for VMware networking.
What virtual switches are available for VMware networking?
There are three virtual switch options for vSphere infrastructures:
- VMware vSwitch: This virtual switch comes standard with vSphere at no additional cost. It offers basic VMware networking features, such as 802.1Q VLAN tagging, jumbo frames and port groups.
- VSphere vNetwork Distributed Switch: Enterprise Plus shops can use this VMware networking switch for centralized traffic management and creating VLANs. It's managed through vCenter, and it's simpler than host profiles for network configuration.
- Cisco Nexus 1000V: This switch is the most costly option, but network administrators can use it to automate management of the virtual network instead of relying on virtualization staff. It runs the familiar Cisco IOS command-line interface, and it integrates with other third-party switches.
What management problems do virtual switches cause?
Virtualization administrators usually manage virtual network switches, but this arrangement prevents the network administrators from controlling key aspects of a network. Most VM traffic on a host doesn't leave the server, so physical networking tools can't monitor or manage it.
Additionally, virtualization and network administrators have little control over vSwitches. (Standard and distributed virtual switches lack basic management features.) Network administrators cannot disable ports on virtual switches as they can on physical NICs. And on physical networks, administrators can lock down ports to prevent unauthorized devices from accessing the network. They lose this capability with vSwitches.
What are some VMware networking
strategies with virtual switches?
To create a virtual network, you want one side of the virtual switch connected to a physical network and the other connected to a virtual NIC. Virtual switches don't have to connect to physical NICs, and this configuration creates a fully virtualized network. But you can't directly connect two virtual switches, which is known as layering. You must have a VM in between two virtual switches.
What VMware networking issues does vCloud Director create?
VMware vCloud Director Network Isolation technology can build logical networks, firewalls and routing on a bridged data center infrastructure -- all without the assistance of an IT department's networking group. This ability may produce network stability and security problems -- especially when inexperienced virtualization administrators expand a private cloud.
Layer 2 and Layer 3 networks are a collection of disparate networking technologies and standards. Without the proper planning and training, these virtual networks are susceptible to performance and security issues.
This was first published in December 2010