Tuesday, September 11, 2012
Standard Virtual Switch Architecture
To the outside world, the vNIC has its own MAC address and one or more IP addresses and responds to the standard Ethernet protocol exactly as a physical NIC would. In fact, an outside agent can determine it is communicating with a virtual machine only if it checks the six byte vendor identifier in the MAC address.
A standard switch, or standard virtual Switch, works like a layer-2 physical switch. It maintains a MAC: port forwarding table and performs three important functions:
- It looks up each frame’s destination MAC when it arrives.
- It forwards a frame to one or more ports for transmission.
- And, it avoids unnecessary deliveries. In other words, it is not a hub.
On one side of the virtual switch are port groups that connect to virtual machines. On the other side are uplink connections to physical Ethernet adapters on the server where the virtual switch resides.
Virtual machines connect to the outside world through the physical Ethernet adapters that are connected to the virtual switch uplinks. ESX supports high performance networking for running the most demanding workloads in virtual machines.
A standard switch can connect its uplinks to more than one physical Ethernet adapter to enable NIC teaming. With NIC teaming, two or more physical adapters can be used for load balancing or to provide passive failover in the event of a physical adapter hardware failure or a network outage.
The virtual ports on a virtual switch provide logical connection points among virtual devices and between virtual and physical devices. You can think of the ports as virtual RJ-45 connectors. Each virtual switch can have up to 1,016 virtual ports, with a limit of 4,096 ports on all virtual switches on a host. However, this system-wide limit includes eight reserved ports per standard vSwitch, so you can use only 4088 ports.
A virtual Ethernet adapter updates the virtual switch port with MAC filtering information when it is initialized and whenever it changes. A virtual port may ignore any requests from the virtual Ethernet adapter that would violate the Layer 2 security policy in effect for the port. For example, if MAC spoofing is blocked, the port drops any packets that violate this rule.
Port group is a unique concept in the virtual environment. A port group is a mechanism for setting policies that govern the network connected to it. Instead of connecting to a particular port on the standard vSwitch, a virtual machine connects its vNIC to a port group. All virtual machines that connect to the same port group belong to the same network inside the virtual environment even if they are on different physical servers. Port groups can be configured to enforce a number of policies that provide enhanced network security, network segmentation, better performance, higher availability, and traffic management.
