Introduction to vSphere Networking

Day 2

VMware vSphere:
Install, Configure, Manage
Content

• Virtual Networking
• Introduction to vSphere Standard Switches
• Troubleshooting of vSS
• Scenarios
• Introduction to vSphere Distributed Switches
• Troubleshooting of vDS
• NSX
Introduction to vSphere
Standard Switches
Learner Objectives
By the end of this lesson, you should be able to meet the following
objectives:
• Describe the virtual switch connection types
• Configure and view standard switch configurations, such as virtual machine
port group, VMkernel port, VLAN, and so on
Types of Virtual Switch Connections
A virtual switch has specific connection types:
• Virtual machine port groups
• VMkernel port:
– For IP storage, VMware vSphere® vMotion® migration, VMware vSphere® Fault
Tolerance, VMware Virtual SAN™, and VMware vSphere® Replication™
– For the ESXi management network

Virtual Machine Port Groups VMkernel Ports

Production TestDev DMZ vSphere Management

vMotion
Virtual Switch

Uplink Ports
Virtual Switch Connection Examples
More than one network can coexist on the same virtual switch. Or
networks can exist on separate virtual switches.

Management vSphere vMotion Production TestDev iSCSI

Virtual Switch

Management vSphere vMotion Production TestDev iSCSI

Virtual Switch Virtual Switch Virtual Switch Virtual Switch Virtual Switch
Tagging ports

Virtual switch tagging is one of the supported tagging policies

Types of Virtual Switches
Types of Virtual Switches
Standard Switch Components
A standard switch provides connections for virtual machines to
communicate with one another, whether they are on the same host or on
different hosts.

VM VM VM IP Management
1 2 3 storage Network

VNIC VNIC VNIC VNIC

VMkernel

Test VLAN 101

Production VLAN 102
IP Storage VLAN 103
Management VLAN 104
Adding Standard Switch
Viewing the Standard Switch Configuration
Viewing physical network Adaptaters
Configuring Standard Switch
Policies
Learner Objectives
By the end of this lesson, you should be able to meet the following
objectives:
• Explain how to set the security policies for a standard switch port group
• Explain how to set the traffic shaping policies for a standard switch port group
• Explain how to set the NIC teaming and failover policies for a standard switch
port group
Network Switch and Port Policies
Policies that are set at the standard switch level apply to all port groups
on the standard switch by default.
Available network policies:
• Security
• Traffic shaping
• NIC teaming and failover

Policies are defined at the following levels:

• Standard switch level:
– Default policies for all the ports on the standard switch.
• Port group level:
– Effective policies: Policies defined at this level override the default policies that are
set at the standard switch level.
Configuring Security Policies
Administrators can define security policies at both the standard switch
level and the port group level:
• Promiscuous mode: Allows a virtual switch or port group to forward all traffic
regardless of the destination.
• MAC address changes: Accept or reject inbound traffic when the MAC
address has been altered by the guest.
• Forged transmits: Accept or reject outbound traffic when the MAC address
has been altered by the guest.
Traffic-Shaping Policy
Network traffic shaping is a mechanism for limiting a virtual machine’s
consumption of available network bandwidth.
Average rate, peak rate, and burst size are configurable.
Outbound Bandwidth

Peak Bandwidth

Average

Time
Burst Size = Bandwidth x Time
Configuring Traffic Shaping
A traffic-shaping policy is defined by average bandwidth, peak
bandwidth, and burst size. You can establish a traffic-shaping policy for
each port group and each distributed port or distributed port group:
• Traffic shaping is disabled by default.
• Parameters apply to each virtual NIC in the standard switch.
• On a standard switch, traffic shaping controls only outbound traffic.
NIC Teaming and Failover Policies
Administrators can edit the NIC teaming and failover policy by
configuring specific options.
Network Troubleshooting
ESXCLI Command
To troubleshoot networking configurations from the ESXi command line,
ESXCLI is the tool to use or PUTTY can be used.
There are a number of options available when running ‘esxcli’ in terms of
network settings:
~ esxcli network
Netcat Command
Netcat can be used to test connectivity to and from your ESXi host.

~ nc -h
ESXCFG Command
The esxcfg-nics command provides information about the physical NICs
in use by the VMkernel.
This prints the VMkernel name for the NIC, its PCI ID, driver, link state,
speed, duplex, and a short PCI description of the card. It also allows
users to set speed and duplex settings for a specific NIC.
~ esxcfg-nics <options> [nic]
Network Problem 1

The ESXi host has intermittent or no network connectivity to other

systems.

As an initial check from VMware vSphere® ESXi™ Shell, ping a system

that is known to be up and accessible by the ESXi host.

DCUI
Command
Prompt
Identifying Possible Causes
If you know that your hardware is functioning correctly, take the top-down
approach to troubleshooting, starting with the ESXi host configuration.

Possible Causes

The ESXi host network configuration is incorrect.

The VLAN ID of the port group is incorrect.
ESXi The speed and duplex of the network links are not
Host consistent.
The network link is down.
NIC teaming is not configured properly.

The network adapter or server hardware is not

Hardware supported.
(Network, Server) The physical hardware is faulty or misconfigured.
Network performance is slow.
Possible Cause: ESXi Network Misconfiguration (1)
Verify that your ESXi host network is configured properly:
• Check vSphere standard switches, vmnics, port groups, and VMkernel ports:
– In VMware vSphere® Management Assistant, use vicfg-vswitch –l
– In vSphere ESXi Shell, use esxcfg-vswitch –l and esxcfg-vmknic –l

• Check VLAN IDs of port groups:

– esxcli network vswitch standard portgroup list
Possible Cause: ESXi Network Misconfiguration (2)
Verify that your ESXi host network configuration is configured properly:
• Speed and duplex:
– vicfg-nics –l
• Network uplink and NIC status (up or down):
– esxcfg-nics –l
– vicfg-nics –l
– esxcli network nic list
Resolving ESXi Network Misconfiguration
Adjust settings in your ESXi network configuration that are not
configured properly:
• Standard switches, vmnics, port groups:
– Add standard switch: vicfg-vswitch –a vswitch#
– Add port group: vicfg-vswitch –A pg_name vswitch#
– Add uplink: vicfg-vswitch –L vmnic# vswitch#
• VLAN IDs of port groups:
– esxcli network vswitch standard portgroup set
–p pg_name -v vlan_ID
• Speed and duplex:
– vicfg-nics –d duplex -s speed vmnic#

• Network link status (up or down):

– Connect network adapters to the intended physical switch ports.
Possible Cause: NIC Teaming Misconfiguration
Verify that NIC teaming is configured properly.
Possible Cause: Unsupported or Faulty Hardware
Verify that you are not encountering the following ESXi network
hardware issues:
• The network adapter or server hardware is not supported:
– vicfg-nics –l
– Verify that the network hardware is listed in VMware Compatibility Guide.
• The physical hardware is faulty or misconfigured:
– lspci –p
Possible Cause: Slow Network Performance
Use esxtop (or resxtop) to view key network metrics that can help
identify network performance problems.

Sample resxtop Output

The esxtop command is available in both vSphere ESXi Shell and

VMware vSphere® Command-Line Interface.
Review of Virtual Machine Connectivity
If your virtual machine loses network connectivity, the cause of the
problem might be in the physical layer, the virtual layer, or the guest
operating system itself.

APP
Virtual
FIREWALL Machine
OS

Virtual NIC
Port Groups

Virtual
Switch

Uplink Ports
Physical NICs
Network Problem 2

The virtual machine has no network connectivity.

As an initial check, ping the virtual machine from another system.

If the ping command fails, ping other virtual machines on the same
network to determine the scope of the problem.
Identifying Possible Causes
Take a top-down approach to troubleshooting, from the guest operating
system to the virtual machine and the ESXi host.

Possible Causes

Application or IP settings are misconfigured.

Guest OS The firewall in the guest OS is blocking traffic.

Virtual The port group name does not exist.

Machine The virtual network adapter is not connected.

Underlying issues with ESXi network connectivity exist.

ESXi Storage or resource contention on the ESXi host exists.
Host
Possible Cause: IP Settings and Firewall Problems
IP settings and problems with firewalls might cause the problem.
Check IP settings to ensure that the TCP/IP settings in the guest
operating system are correct.
The firewall in the guest operating system might be blocking traffic.
Ensure that the firewall does not block required ports.
Possible Cause: Port Group Misconfiguration
The port group name that the virtual machine uses is incorrect:
• View the standard switch port group names on the ESXi host:
– vicfg-vswitch –l
• Verify that the virtual machine is using the correct port group.

The virtual network adapter is not connected to the port group:

• Verify that the network adapter is connected to the correct port group.
Network Problem 3

An ESXi host frequently disconnects from VMware vCenter Server™.

Another symptom is that the ESXi host is successfully added to the

vCenter Server inventory but disconnects 30 to 90 seconds after the task
completes.
The problem is that dropped, blocked, or lost heartbeat packets are
occurring between vCenter Server and the ESXi host.
Heartbeat Communication Between vCenter Server and ESXi
The ESXi host sends a heartbeat to vCenter Server to signal that the
host is accessible by the management network.

vCenter Server
Management
Firewall ESXi Network
(vmk0)
Windows

Heartbeat Sent over UDP Port 902

Identifying Possible Causes
Take a top-down approach to troubleshooting, from the vCenter Server
system to the ESXi host and the hardware.

Possible Causes

Windows Firewall is enabled on the vCenter Server system,

vCenter Server and UDP port 902 is blocked.

ESXi vCenter Server is not using port 902 for receiving heartbeats,
Host or the ESXi firewall is blocking that port.

Hardware
(CPU, Memory, The network between ESXi and vCenter Server is congested.
Network, Storage)
Possible Cause: Port Blocked by Windows Firewall
If Windows Firewall is enabled and UDP port 902 is blocked, view the
ports blocked by Windows Firewall.
To resolve this problem, adjust Windows Firewall settings:
• If ports are not configured, disable Windows Firewall.
• If the firewall is configured to affect ports, ensure that Windows Firewall is not
blocking UDP port 902.
Possible Cause: vCenter Server Not Using Port 902
By default, the vpxa agent on the ESXi host sends heartbeats to vCenter
Server (vpxd) through UDP port 902.
A problem might exist if the host is configured to send heartbeats over a
port other than 902.
Use the less /etc/vmware/vpxa/vpxa.cfg command on the host
to determine the port that is used to send heartbeats:

…
Resolving the Use of a Port Other Than 902 (1)
If you prefer to use a nondefault port for heartbeats, ensure that the ESXi
firewall is not blocking that port.
Contents of heartbeat.xml
Network Problem 4

The ESXi host cannot be managed by vCenter Server.

This problem can occur if the ESXi host’s management network was
misconfigured or manipulated from the command line.
For example, you can bring a physical network card up or down with the
esxcli command:
• esxcli network nic up –n vmnic0
• esxcli network nic down –n vmnic0
• esxcli network nic list
Recovering a Lost Management Network: Standard Switch
If your management network is on a standard switch and you lose
management network connectivity, the solution uses the Configure
Management Network option in the DCUI.
Network Restore Options in the DCUI
To restore the network through the DCUI:
1. Select Network Restore Options.
2. Perform a full network restore.
3. Repair the Management network on a misconfigured standard or
distributed switch.

The Restore Network Settings option deletes all the current network
settings except for the Management network.
Review of Learner Objectives
You should be able to meet the following objectives:
• Provide a network troubleshooting overview
• Analyze and troubleshoot standard switch problems
• Analyze and troubleshoot virtual machine connectivity problems
• Analyze and troubleshoot management network problems
Key Points
• Virtual network connectivity problems might occur with standard switches,
distributed switches, virtual machines, or management networks.
• A virtual machine connectivity problem might exist in the physical layer, the
virtual layer, or the guest operating system.
• The ping command is useful when troubleshooting ESXi host and virtual
machine connectivity issues.
• When an ESXi host frequently disconnects from vCenter Server, heartbeat
packets are being lost between vCenter Server and the ESXi host.
• vSphere network rollback prevents accidental misconfiguration of management
networking and loss of connectivity.
• A good practice is to back up your distributed switch configuration with the
vSphere Web Client whenever you make a change to the configuration.
• You can use the restore or the import function to reset the distributed switch
configuration.
Questions?