Simplify VMware vSphere* 4 Networking with Intel Ethernet 10 Gigabit Server Adapters

ManualsBrandsIntel ManualsOtherIntel 10 Gigabit CX4 Dual Port Server Adapter

To enhance redundancy further, a second

option is to move to a four 10GbE port

congurationthatprovidesthetwo

primary ports a dedicated backup or

redundant port on separate adapters.

The same practice of immediately moving

VMs to a new host in case of failure

(and lost redundancy) should be used.

Thiscongurationcanprovidegreater

bandwidthtotheVMsandtheVMKernel

trafctypesorphysicalseparationof

trafctypesifrequired.

Customer Concerns: Security, Traffic

Segmentation, and Bandwidth

Concerns reported by customers

regarding consolidation of connections

onto10GbEincludesecurityandtrafc

segregation with dedicated bandwidth for

critical networking functions.

When GbE server connections are

consolidated, a way to isolate connections

in the absence of dedicated physical

connections is still necessary. This

requirementreectstheneedfor

security between different types and

classesoftrafc,aswellastheabilityto

ensureadequatebandwidthforspecic

applications within the shared connection.

Security Considerations: Isolating Data

among Traffic Streams

In our 10GbE model, VLANS provide

some of the basic security features

required in the installation. Security of

VLANs has been debated, tested, and

written about extensively. A review of

the documentation suggests strongly

that when properly implemented, VLANs

provide a viable option for network

isolation. For further inquiry on this

subject, see the VLAN Security White

Paper

from Cisco Systems or vSphere

Hardening Guide: ESX and Virtual

Networking

from VMware. In particular,

note the following safeguards that help to

protect data:

group, additional server adapters must

be added (assuming additional PCI* slots

are available). Additionally, the bandwidth

allocated in the example cannot be used

byanyothertrafc;itsimplygoestowaste.

On the other hand, handling the port

group with bandwidth from a shared

10GbE server adapter allows additional

bandwidthtobeallocatedfortrafc

spikes more seamlessly. Furthermore,

multiple port groups can share the

bandwidth headroom provided by the

server adapter. The resource can be

automatically and dynamically reallocated

as various port groups are accessed

by their associated VMs. Dedicated

bandwidth is not needed for any one

port group as long as the host network

connection never reaches saturation. This

method is very similar to how VMware

shares processor resources, allowing VMs

to burst processor utilization as needed

due to the likelihood that many VMs won’t

burst at the same time.

TheIntelNetworkingTestlabconrms

the viability of replacing multiple GbE

ports with a pair of 10GbE ports in the

congurationmentionedinthispaper.A

number of VMs were installed on each of

two hosts, and the process of migrating

all of the VMs on one host to the other

and back again was timed. This testing

wasdonewithnootherworkortrafc

owsonthesystems.Asapointof

comparison,networktrafcowswere

started to all of the VMs on each host,

and the migration exercise was run again.

The result was that the time required

to migrate the VMs was only minimally

affected.

•Logical partitioning protects individual

traffic flows. VMware vSphere can

control the effects from any individual

VM on the traffic flows of other VMs that

share the same physical connection.

•Internal and external traffic do not

need to share a physical connection.

DMZs can be configured on different

network adapters to isolate internal

traffic from external traffic as security

needs dictate.

•Back-end services are handled by

VMware ESX. Administrative traffic and

other back-end services are handled by a

separate networking stack managed by

the VMkernel, providing further isolation

from VM traffic, even on the same

physical connection.

Traffic Segmentation and

Ensuring Bandwidth

10GbE provides enough bandwidth for

multipletrafctypestocoexistonasingle

port, and in fact, in many cases Quality of

Service (QoS) requirements can be met

simply by the availability of large amounts

ofbandwidth.Thepresenceofsufcient

bandwidth can also dramatically improve

the speed of live VM migration using

VMotion, removing potential bottlenecks

for greater overall performance. Beyond

thegeneralavailabilityofsignicant

bandwidth,however,trafcsegmentation

can provide dedicated bandwidth for each

classofnetworktrafc.

Whilesegmentingtrafcowsonto

discreet GbE connections is also a viable

means of providing dedicated bandwidth

toaspecictrafctypeorfunction,doing

so has distinct shortcomings. For example,

allocating two GbE connections to a VM

trafcportgroupprovidesapotential

of 2 Gbps of dedicated bandwidth, but

if additional bandwidth is needed for

sporadictrafcspikesfromthatport

Simplify VMware vSphere* 4 Networking with Intel® Ethernet 10 Gigabit Server Adapters