As many people know, Virtualization is as prominent a technology in the Networking industry as it is in the Server industry. Like the server market, Virtualization is used in Networking also for consolidation via VLANs – used to make what used to be 100 seperate networks, using seperate NIC’s and Switches, consolidated into one easily manageable and more remote-access friendly switch. Using VLANs you can change what network a port is on with less than 6 commands, opposed to patching and re-patching cables etc. Until recently, Virtual LAN’s and Virtual Servers (ESX for this article) have had no real technological advantage while working in cohesion compared to their physical counterparts, however recently VMWare and Cisco released a white paper outlining plans and guidelines for greater connectivity beetween the 2 technologies.

http://www.vmware.com/files/pdf/vmi_cisco_network_environment.pdf (White Paper)

In VMWare, there are various Networking technologies that have been virtualized – mainly vSwitch(es) and vNIC(s). These virtual entities simulate the actions and features of their physical counterparts, and can be used together to create virtual networks; a series of virtual machines, using virtual NICs to interconnect using a Virtual switch. This can be then further enhanced by briding the vSwitch onto a physical NIC attached to “the outside world”, which, if all on the same subnet, will allow traffic to flow through from the phys. NIC into the virtual servers ensuring full virtual -> physical network flow. The maximum number of virtual switches allowed per VMware ESX install is a staggering 248! Thats 248 virtual Switches running on top of one piece of hardware, not to mention all the VM’s etc. On top of the 248 switches, you are allowed a maximum of 1016 virtual NIC’s, per switch, giving you a potential number of interconnects in the range of 1016 * 248!

Although vSwitches are very similar to physical Switches (pSwitches from here on), there are a few differences:-

  • Spanning-Tree Protocol (STP) is not supported on Virtual Switches, as “VMWare infrastructure enforces a single-tier networking topology within the ESX Server”. Basically, the quote says that there is no possible way for you to interconnect multiple vSwitches, thus, “ESX Networks cannot be configured to introduce loops”. Because theres no way for you to attach 2 pNICs to one vSwitch, there is no way to fool an ethernet adapter into doing loopback or any other configuration which could cause a leak between virtual switches.
  • “ESX Provides a direct channel from virtual Ethernet Adapters for such configuration information as authoritative MAC Filter Updates, therefore there is no need to learn unicast addresses or perform IGMP snooping to learn multicast group membership” – basically, the vSwitch works by acting as a cable, it notices VM1 trying to send to VM2, therefore it puts a temporary cable inbeetween the VM’s and allows communication, due to this it doesnt need to know multicast group membership.

Due to this apparent transparency and the lack of use for STP, there is no need to cascade virtual switches as virtual infrastrucutre provides no capability to connect vSwitches.

Virtual switch correctness: “It is important to ensure virtual machines or other nodes on the network do not affect the behaviour of the vSwitch”

  •  “Virtual switches do not learn MAC addresses from the network in order to populate their forwarding tables. This eliminates a likely vector for denial- of-service (DoS) or leakage attacks, either as a direct denial of service attempt or, more likely, as a side effect of some other attack, such as a worm or virus as it scans for vulnerable hosts to infect. “
  • “Virtual switches make private copies of any frame data used to make forwarding or filtering decisions. This is a critical feature of the virtual switch and is unique to virtual switches. The virtual switch does not copy the entire frame, because that would be inefficient, but ESX Server must make sure that the guest operating system does not have access to any sensitive data once the frame is passed on to the virtual switch.”

 

 More to come. Sam.