Networking in VMware

Applies to: VMware Server 1.x, VMware Workstation 5.x Date: November 28, 2006

Intro This series of articles is intended to provide you with information about the design and use of VMware Networking.
• •

Host only, NAT and bridged networking are covered in detail. The design overview is followed by various practical network configuration examples. The examples include isolated Virtual network for R&D purposes, Virtual network for standby replicas of production machines, Virtual network connected to DMZ for internet services (e.g. public SMTP, HTTP, FTP services, etc.) and Virtual network connected to LAN for Application, File and Print services. Understanding VMware networking helps to design Virtual network topology that makes most sense from connectivity, security and manageability standpoints.

VMweekly | All virtualization

www.vmweekly.com

Networking in VMware

November 2006

Host only and NAT networking with VMware Server and Workstation There are three types of networking in VMware Server and VMware Workstation:
• • •

Host only – Virtual machines cannot access the outside network Bridged – Virtual machines can access the outside network using their own IP addresses NAT – Virtual machines can access the outside network using host’s IP address

Host only and NAT are pretty similar. The only difference is the additional service (VMware NAT Service) that performs outgoing and incoming traffic translation between Virtual switch and the outside network. Bridged networking operates differently. This article is intended to provide you with an overview of Host only and NAT networking. Bridged networking will be covered in subsequent articles. Host Only The following diagram shows the Host only network with VMware Server or Workstation:

This diagram is the same as the one provided by VMware online documentation. The host only virtual network behavior is similar to that of a physical Ethernet switch with VMs and the host connected to it. A VM is connected to the switch through one or more Virtual Ethernet adapters. The host machine is connected through its Virtual adapter named by default ‘VMware Network Adapter VMnet1’. Virtual Switch VNNet1 is default for host only networking, but can be configured to use a different VMNet number. Multiple host only Virtual switches can coexist on the same machine.

VMweekly | All virtualization

2

www.vmweekly.com

Networking in VMware

November 2006

Virtual NIC on both host and VM connects the machine to Virtual switch. VNIC on any particular VM or on the host machine can be disabled or removed without affecting operation of Virtual switch.

A virtual machine can have more than one Virtual NIC and different VNICs can be connected to different Virtual switches (host only or NAT) or bridged to a specific physical NIC.

VNIC on the host can be removed, disabled or reconfigured through standard Windows or VMware tools. When the host VNIC is disabled or removed, other VMs will continue to interact through Virtual switch, but the host itself will not be able to connect to any of them. To remove or disable the host VNIC on Windows, use VMware ‘Manage Virtual Networks’ utility as the following picture shows:

Virtual NICs on VMs can also be disabled or removed through standard Windows tools or by editing appropriate VM settings. Removing or disabling a VNIC on a VM effectively disconnects the VM from the corresponding Virtual switch.

When a host or VM has multiple Virtual NICs, it is possible to use native OS or third party routing, including NAT, or bridging software (e.g. Microsoft Routing and

VMweekly | All virtualization

3

www.vmweekly.com

Networking in VMware

November 2006

Remote access, ISAS, etc.) to connect Virtual switches with each other or with the external network. VMware DHCP Server is optional and can be configured or disabled for specific Virtual switch by using VMware ‘Manage Virtual Networks’ utility:

When VMware DHCP Server is disabled, one can use static IP addresses, or a non VMware DHCP server running on the host, or one of the VMs to set TCP/IP configuration for machines connected to Virtual switch.

In general, designing Virtual network topology is pretty similar to designing the network topology for an equivalent physical network.

NAT As I have mentioned before, NAT networking is similar to the Host Only. The only difference is NAT device as shown in the diagram below:

VMweekly | All virtualization

4

www.vmweekly.com

Networking in VMware

November 2006

You might notice that the diagram is different from the one in the VMware online documentation. Virtual switch, VMware DHCP Server and Virtual NICs behave the same way as in the Host only scenario. The NAT device is responsible for IP translation between Virtual Switch and the external network.

The NAT device uses sockets to communicate with the external network. Sockets’ API has the ability to use a specific endpoint (or Ethernet adapter) for both incoming and outgoing communications. However, VMware NAT device uses all the available NICs that exist on the system instead. The device relies on the operating system when directing the traffic to a specific destination. The OS uses routing table that can be configured through the standard ‘route’ command to pick a particular interface (NIC) for a particular destination. Therefore, NAT device is using all the available adapters (both physical and virtual) to dispatch outside traffic.

For example, NATed network can successfully connect to any Host only Virtual switch on the host through an appropriate host Virtual NIC as shown in the following diagram:

VMweekly | All virtualization

5

www.vmweekly.com

Networking in VMware

November 2006

The diagram shows that a VMB virtual machine on the NATed switch can successfully ping a VMA virtual machine on the Host Only switch. It also shows that the VNIC for VMnet8 network is not involved into the VMB VMA communication. Therefore, VNIC’s configuration or even removal does not prevent VMB from accessing both the outside network and Host Only Virtual networks on the system. As in the case of the Host only networking, host VNIC is only used for host to VM communications. NAT device is a Windows service called ‘VMware NAT Service’. NAT service can be stopped. In this case Virtual switch will act as a host only switch. The service can not be attached to more than one Virtual switch on the host. Neither can it be assigned to a specific NIC on the host system. NAT service can also be configured to perform port forwarding as the picture shows:

VMweekly | All virtualization

6

www.vmweekly.com

Networking in VMware

November 2006

When forwarding is on, NAT service starts the TCP or UDP listener on the specified incoming ports. Whatever goes to this port, the service will translate it to Virtual switch through its NAT interface as shown below: C:\>netstat -n –a Active Connections Proto TCP TCP TCP TCP TCP TCP … Local Address 0.0.0.0:135 0.0.0.0:445 0.0.0.0:902 0.0.0.0:912 0.0.0.0:2869 0.0.0.0:12345 Foreign Address 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 State LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING

As one might expect, the listener listens on all the available NICs, including Virtual ones.

VMweekly | All virtualization

7

www.vmweekly.com

Networking in VMware

November 2006

Performance considerations In the next article from this series – ‘Bridged Networking in VMWare’ – I will explain why NAT networking requires additional overhead comparing to the Bridged. It should be said that on an average system this overhead is insignificant when transferring from the external network to a Virtual machine. However, port forwarding works considerably slower. In my tests maximum HTTP transfer speed with port forwarding was approximately 60 Kbytes/second when downloading from a VM to an external machine. Transferring in the opposite direction using pure NAT w/o the port forwarding was done at 11 Mbytes/second. The physical NIC operated at 100 Mbps speed. If you are planning to use NAT with port forwarding for internet services, host only networking and native OS NAT is probably a better solution. On Microsoft Windows Server 2003 NAT is configured through the “Advanced” tab of the physical NIC properties. You would need to check the “Allow other network users to connect through this computer’s Internet connection” checkbox and select the VMware host only adapter in the appropriate drop down list. By default the adapter is called “VMware Network Adapter VMnet1”. The Windows native NAT gave me full NIC speed when transferring with the port forwarding.

VMweekly | All virtualization

8

www.vmweekly.com