In today’s digital age, where connectivity is paramount, network administrators constantly seek ways to optimize network performance and streamline management processes. The virtual switch is a crucial component that plays a significant role in achieving these goals. In this blog post, we will delve into virtual switches, exploring their benefits, features, and how they contribute to creating efficient and robust network infrastructures.
A virtual switch, also known as a vSwitch, is a software-based network switch that operates within a virtualized environment. It bridges virtual machines (VMs) and physical network interfaces, enabling communication. Like a physical switch, a virtual switch facilitates data transmission, ensuring seamless connectivity throughout the network.
Highlights: Virtual Switch
- The Role of Virtual Switching
Virtual Switching functionality is not carried out with a standard switch, and we will have a distributed virtual switch located closer to the workloads that will connect to a ToR switch. The ToR switch is the first hop device from the virtual switch. In a VMware virtualized environment, a single host runs multiple virtual machines (VM) through the VMkernel hypervisor.
The physical host does not have enough network cards to allocate a physical NIC to every VM, and there are exceptions, for example, Cisco VM-FEX. Still, we generally have more virtual machines than physical network cards. We need a network to support communication flows to get VMs to communicate out an uplink or even to each other internally.
- Traffic Boundaries
Implementing a Layer 2 switch within the ESXi hosts allows traffic flowing from VMs within the same VLAN to be locally switched. Traffic across VLAN boundaries is passed to a security or routing device northbound to the switch.
There are possibilities for micro-segmentation, VM NIC firewalls, and stateful inspection firewalls, but let’s deal with them later in a later article. Essentially, the virtual switch aggregates multiple VM traffic across a set of links and provides frame delivery between VMs based on Media Access Control (MAC) address, all of which fall under the umbrella of virtual switching with a distributed virtual switch.
You may find the following helpful post for pre-information:
- Distributed Firewalls
- VMware NSX Security
- Nest Hypervisors
- Layer-3 Data Center
- Overlay Virtual Networks
- WAN SDN
- Hyperscale Networking
- A key point: Video on hypervisor vulnerabilities
Before you go further in your research for virtual switching and the virtual switch, you may find this helpful video on hypervisor vulnerabilities. Hypervisors often implement a virtual switch to manage connections between the internal virtual network and the external physical. So when designing and implementing your virtual switch design, you must account for different attack vectors and hypervisor vulnerabilities.
- A key point: Back to basics with the virtual switch with VMware.
VMware Virtual Switch
The virtual network delivers the networking for virtual machines and, for example, ESXi hosts in the world of VMware. Like physical switches in our physical network, the essential component is a virtual switch in a virtual network. A virtual switch is a software-based switch built inside the ESXi kernel (VMkernel), used to deliver networking for the virtual environment.
For example, the traffic that flows from/to virtual machines is passed through one of the virtual switches in VMkernel. So the virtual switch provides the connection for virtual machines to communicate with each other, whether operating on the same host or different hosts. A virtual switch works at Layer 2 of the OSI model.
Benefits of Virtual Switches:
1. Enhanced Network Performance: Virtual switches enable administrators to allocate network resources dynamically, optimizing performance based on workload demands. Virtual switches reduce network congestion by efficiently managing bandwidth and prioritizing traffic, resulting in faster and more reliable data transmission.
2. Simplified Network Management: Virtual switches provide central management and configuration capabilities, eliminating the need for individually managing each physical switch. This streamlines network management processes, reducing complexity and saving valuable time for administrators.
3. Improved Security and Isolation: Virtual switches offer advanced security features like VLANs (Virtual Local Area Networks) and access control lists (ACLs). These features enhance network security by isolating traffic and preventing unauthorized access to sensitive data. Additionally, virtual switches allow administrators to implement network policies and monitor traffic, enabling efficient network segmentation and analysis.
Features of Virtual Switches:
1. VLAN Support: Virtual switches support VLANs, allowing administrators to divide a physical network into multiple virtual networks logically. This enables better network segmentation, improved security, and more efficient use of network resources.
2. Quality of Service (QoS): Virtual switches provide QoS capabilities, allowing administrators to prioritize specific types of network traffic. Virtual switches ensure optimal performance and minimal latency by assigning higher priority to critical applications, such as VoIP (Voice over Internet Protocol) or video conferencing.
3. Traffic Monitoring and Analysis: Virtual switches offer built-in traffic monitoring and analysis tools. Administrators can monitor network traffic in real-time, identify bottlenecks, and gain valuable insights into network performance. This enables proactive troubleshooting and optimization of network resources.
Virtual Switch: Three Distinct Types
To enable virtual switching, there are three virtual switches in a VMware environment a) a standalone virtual switch, b) distributed virtual switch, and c) 3rd party distributed switch, such as the Cisco Nexus 1000v. These virtual switches have ports, and the hypervisor presents what looks like a NIC to every VM. The VMs are now isolated, thinking they have a virtual Ethernet adapter. Even if you change the physical cards in the server, the VM does not care as it does not see the physical hardware.
The diagram displays a virtualized environment with two sets of VMs, blue and red, attached to corresponding Port Groups. Port Groups are nothing special, simply management groups based on configuration templates. You may freely have different VMs in Port Groups in the same VLAN communication. The virtual NIC is a software construct emulated by the hypervisor.
Virtual switching and the virtual switch
The standalone virtual switch lacks advanced features but gains in performance. The standalone version is not a feature-rich virtual switch and supports standard VLAN and control planes consisting of CDP. Each ESXi host has an independent switch comprised of its data and control planes. Every switch is a separate management entity.
The Distributed virtual switch (vDS) is purely a management entity and minimizes the configuration burden of the standalone switch. It’s a template you configure in vCenter, applied to individual hosts. It lets you view the entire network infrastructure as one object in the vCenter. The port and network statistics assigned to the VM move when the VM moves.
Virtual distributed switch
The vDS is a simple management template, and each ESXi host has its control and data plane with unique MAC and forwarding rules. The local host proxy switch performs packet forwarding and runs control plane protocols. One major vDS drawback is if vCenter drops, you cannot change anything on the local hosts.
As a best design practice, most engineers use the standard standalone switch for management traffic and vDS for VM traffic on the same host. Each virtual switch (vS and vDS) must have its uplinks. You need at least two uplinks for each switch for redundancy; already, you need four uplinks, usually operating at 10Gbps.
- VMware-based software switches don’t follow 802.1 forwardings or operate Spanning Tree Protocol (STP). Instead, they use special tricks to prevent forwarding loops, such as Reverse Path Forwarding (RPF) checking on the source MAC address.
The Cisco Nexus 1000v
Third-party virtual switching may also be plugged in, and the Nexus 1000v is the most popular. It operates with a control plane, a Virtual Supervisor Module (VSM), and distributed data plane objects, a Virtual Ethernet Module (VEM). Cisco initially operated all control plane protocols on the VSM, including LACP and IGMP snooping. It severely inhibited scalability; now, control plane protocols are distributed locally to the VEMs.
It’s a feature-rich software switch and supports VXLAN. You may also use the TCP-established keyword unavailable in VMware versions. Some of these products are free; others require an enterprise plus license. If you want a free, feature-rich, standards-based switching product, use Open vSwitch, licensed under Apache 2.0.
What is OVS? Open vSwitch is similar to VMware virtual switch and Cisco Nexus 1000v. It operates as a soft switch within the hypervisor or as the control stack for switching silicon. For example, you can flash your device with OpenWrt and install the Open vSwitch package from the OpenWrt repository. Both are standards-based.
The following displays the ports on an Open vSwitch; as you can see, several bridges are present. These bridges are used to forward packets between hosts. It has a great feature set for a complimentary switch, including VXLAN, STT, Layer 4 hashing, OpenFlow, etc.
Virtual Switching: Integration with the ToR Switch
The virtual switch needs to connect to a ToR switch. So, even though the connection is logical, there must be a physical connection between the virtual switch and the ToR switch. Preferably a redundant connection for high availability. However, what happens with the VM on the virtual switch that needs to move?
Challenges occur when VMs must move, resulting in an enormous VLAN sprawl. All VLANs configured on all uplinks to the ToR switch create one big switch. What can be done to reduce this requirement? The best case would be integrating a solution that synchronizes the virtual and physical worlds. Any changes in the virtual world are automatically provisioned in the physical world.
Ideally, we would like the list of VLANs configured on the server-facing port adjusted dynamically as VMs are moved around the network. For example, if VM-A moves from location-A, we want its VLAN removed from the previous location and added to the new location-B. Automatic VLAN synchronization reduces the flooding of Broadcast to servers, lowering the CPU utilization on each physical node.
Virtual switch: The different vendors
Arista, Force 10, and Brocade have VMware networking solutions on their ToR switches. Arista’s solution is VMtracer, natively integrated with EOS, and works across their entire data center switches. VMtracer gives you better visibility and control over VMs. It sends and receives CCDP or LLDP packets to extract VM information, including VLAN numbering per server port.
When a VM moves, it can remove the old VLAN and add the new VLAN to the new ports. Juniper and NEC use their Network Management systems to keep track of VMs and update the list of VLANs accordingly.
Cisco utilizes VM-FEX and a new feature called VM tracker, available on NX-OS. Cisco’s VM tracker interacts with vCenter SOAP API. It works with vCenter to identify the VLAN requirements of each VM to track their movements from one ESXi host to another. It relies on Cisco Discovery Protocol (CDP) information and does not support Link Layer Discovery Protocol (LLDP).
Edge Virtual Bridging (EVB)
An IEEE standard way to solve this is called EVB, and Juniper supports it, as HP ToR switches. VMware virtual switches do not currently support it. To implement EVB in a VMware virtualized environment, you must change the VMware virtual switch to either HP or Juniper. EVB uses VLANs or Q-in-Q tagging between the hypervisor and the physical switch. They introduced a new protocol called VSI that uses VDP as its discovery protocol.
The protocol runs between the virtual switch in the hypervisor and the adjacent physical switch enabling the hypervisor to request information (for example: upon VM move) from the physical switch. EVB follows two paths a) 802.1qbg and b) 802.1qbh. 802.1qbg is also called VEPA (Virtual Ethernet Port Aggregation), and 802.1qbh is also known as VN-Tag (Cisco products support VN-Tag). Both are running in parallel and attempt to provide consistent control for VMs.
Limit core flooding
To reduce flooding in the network core, you need a protocol between the switches, allowing them to exchange information about which VLANs are in use. Cisco uses VTP; designs VTP with care. There is a standard layer 2 messaging protocol called Multiple VLAN Registration Protocol (MVRP). Unfortunately, it’s not implemented by many vendors.
It automates the creation and deactivation of VLANs by allowing switches to register and de-register VLAN identifiers. Unlike VTP, it does not use a “client” – “server” model. Instead, MVRP advertises VLAN information over 802.1q trunks to connected switches with MVRP enabled on the same interface. The neighboring switch receives the MVRP information and builds a dynamic VLAN table. MVRP is supported on Juniper Networks MX Series routers and EX Series switches.
Virtual switches have become indispensable components in modern network infrastructures. Their ability to enhance network performance, simplify management processes, and provide advanced security features make them essential for organizations of all sizes. By leveraging the benefits and features of virtual switches, network administrators can create robust and efficient networks, enabling seamless connectivity and optimizing overall network performance.