Simplify VMware vSphere* 4 Networking with Intel Ethernet 10 Gigabit Server Adapters

ManualsBrandsIntel ManualsOtherIntel 10 Gigabit CX4 Dual Port Server Adapter

The Foundation of Virtualization

WHITEPAPER

The following trac should be conﬁgured on dedicated VLANs:

•Service console should be on a dedicated port group with its own

dedicated VLAN ID; use port 2. An option to connect to a dedicated

management network that is not part of a vDS can provide additional

beneﬁts but does add additional network connections and network

complexity.

• VMotion should be on its own dedicated port group with its own

dedicated VLAN ID; use port 2 in a two-port conﬁguration.

• P-based storage trac (iSCSI, NFS) should be on its own port group

in the vDS; use port 2 in a two-port conﬁguration.

•VM trac can use one or more VLANs, depending on the level of

separation that is needed between the VMs. The VMs should not

share the service console, VMotion, or IP-based storage trac VLAN

IDs and should use port 1 in a two-port conﬁguration.

802.1Q VLAN trunking provides the ability to combine multiple VLANs

onto a single wire. This capability makes the administration of VLANs

more ecient because the grouping can be managed as a unit over

one physical wire and broken into dedicated networks at the switch level

instead of at each host.

BEST PRACTICE 4: USE DYNAMIC LOGICAL

SEGMENTATION ACROSS TWO 10GBE PORTS

If two physical 10GbE ports are used, as shown in Figure 3, place admin-

istrative, live migration, and other back-end trac onto one physical

connection and VM trac onto the other. To provide redundancy

between the two links, conﬁgure the network so that the trac from

each link fails over to the other if a link path failure with a NIC, cable, or

switch occurs.

Placing the service console network separate from the vDS can

help avoid a race condition and provides additional levels of redundancy

and security.

For a deeper discussion around best practices for the use of virtual

switches, see the following resources:

•KenCline’sblogentriesonThe Great vSwitch Debate

•TheVMwarewhitepaper,“What’s New in VMware vSphere™ 4:

Virtual Networking”

BEST PRACTICE 2: STREAMLINE

CONFIGURATION USING PORT GROUPS

Port groups provide the means to apply conﬁguration policies to multiple

virtual switch ports as a group. For example, a bi-directional trac-shap-

ing policy in a vDS can be applied to this logical grouping of virtual ports

with a single action by the administrator. If changes need to be made

in response to a security event or a change in business requirements,

this capability enables faster response, and in normal day-to-day opera-

tions it enables greater eciency by augmenting physical resources with

more sophisticated virtual ones.

BEST PRACTICE 3: USE VLANs WITH VLAN TRUNKING

The use of VLANs allows network trac to be segmented without

dedicating physical ports to each segment, reducing the number of

physical ports needed to isolate trac types. As stated in VMware’s

paper “vSphere Hardening Guide: ESX and Virtual Networking”

(rev B: public draft January 2010): “In general, VMware believes that VLAN

technology is mature enough that it can be considered a viable option

for providing network isolation.”

Port groups enable faster response, and in normal day-to-day operations

it enables greater eciency by augmenting physical resources with more

sophisticated virtual ones.