Virtual Switch

Virtual Switch

Virtual Switch

In today's digital age, where connectivity is paramount, network administrators constantly seek ways to optimize network performance and streamline management processes. The virtual switch is a crucial component that plays a significant role in achieving these goals. In this blog post, we will delve into virtual switches, exploring their benefits, features, and how they contribute to creating efficient and robust network infrastructures.

A virtual switch, also known as a vSwitch, is a software-based network switch that operates within a virtualized environment. It bridges virtual machines (VMs) and physical network interfaces, enabling communication. Like a physical switch, a virtual switch facilitates data transmission, ensuring seamless connectivity throughout the network.

Table of Contents

Highlights: Virtual Switch

The Role of Virtual Switching

Virtual Switching functionality is not carried out with a standard switch, and we will have a distributed virtual switch located closer to the workloads that will connect to a ToR switch. The ToR switch is the first hop device from the virtual switch.  In a VMware virtualized environment, a single host runs multiple virtual machines (VM) through the VMkernel hypervisor.

The physical host does not have enough network cards to allocate a physical NIC to every VM, and there are exceptions, for example, Cisco VM-FEX. Still, we generally have more virtual machines than physical network cards. We need a network to support communication flows to get VMs to communicate out an uplink or even to each other internally.

Traffic Boundaries

Implementing a Layer 2 switch within the ESXi hosts allows traffic flowing from VMs within the same VLAN to be locally switched. Traffic across VLAN boundaries is passed to a security or routing device northbound to the switch.

There are possibilities for micro-segmentation, VM NIC firewalls, and stateful inspection firewalls, but let’s deal with them later in an article. Essentially, the virtual switch aggregates multiple VM traffic across a set of links and provides frame delivery between VMs based on Media Access Control (MAC) address, all of which fall under the umbrella of virtual switching with a distributed virtual switch.

Related: You may find the following helpful post for pre-information:

  1. Distributed Firewalls
  2. VMware NSX Security
  3. Nest Hypervisors
  4. Layer-3 Data Center
  5. Overlay Virtual Networks
  6. WAN SDN
  7. Hyperscale Networking



Virtual Switching.

Key Virtual Switch Discussion Points:


  • Introduction to the virtual switch and what is involved.

  • Highlighting virtual switching and how its works.

  • Key points on the distributed virtual switch.

  • Technical details on virtual switch connectivity to the ToR switch.

  • Technical details on the different types of virtual switches.

 

Back to Basics: Virtual Switch with VMware.

VMware Virtual Switch

The virtual network delivers the networking for virtual machines and, for example, ESXi hosts in the world of VMware. Like physical switches in our physical network, the essential component is a virtual switch in a virtual network. A virtual switch is a software-based switch built inside the ESXi kernel (VMkernel), used to deliver networking for the virtual environment.

For example, the traffic that flows from/to virtual machines is passed through one of the virtual switches in VMkernel. So, the virtual switch provides the connection for virtual machines to communicate with each other, whether operating on the same host or different hosts. A virtual switch works at Layer 2 of the OSI model.

Benefits of Virtual Switches:

1. Enhanced Network Performance: Virtual switches enable administrators to allocate network resources dynamically, optimizing performance based on workload demands. Virtual switches reduce network congestion by efficiently managing bandwidth and prioritizing traffic, resulting in faster and more reliable data transmission.

2. Simplified Network Management: Virtual switches provide central management and configuration capabilities, eliminating the need for individually managing each physical switch. This streamlines network management processes, reducing complexity and saving valuable time for administrators.

3. Improved Security and Isolation: Virtual switches offer advanced security features like VLANs (Virtual Local Area Networks) and access control lists (ACLs). These features enhance network security by isolating traffic and preventing unauthorized access to sensitive data. Additionally, virtual switches allow administrators to implement network policies and monitor traffic, enabling efficient network segmentation and analysis.

Features of Virtual Switches:

1. VLAN Support: Virtual switches support VLANs, allowing administrators to logically divide a physical network into multiple virtual networks. This enables better network segmentation, improved security, and more efficient use of network resources.

2. Quality of Service (QoS): Virtual switches provide QoS capabilities, allowing administrators to prioritize specific types of network traffic. They ensure optimal performance and minimal latency by assigning higher priority to critical applications such as VoIP (Voice over Internet Protocol) or video conferencing.

3. Traffic Monitoring and Analysis: Virtual switches offer built-in traffic monitoring and analysis tools. Administrators can monitor network traffic in real-time, identify bottlenecks, and gain valuable insights into network performance. This enables proactive troubleshooting and optimization of network resources.

Lab Guide: Virtual Switching and Open vSwitch

Open vSwitch in Linux

This guide addresses virtual switching with the Open vSwitch (OVS). The OVS is a multi-layer virtual switch that can perform basic Layer 3 and Layer 3 functionality. I have OVS running on a Ubuntu host.  Let’s first have a look at the setup and network configuration. I’m in a virtualized environment, and we have an online interface ens33 to the outside world. You can also see that we have OVS already installed with a bridge called my bridge setup. 

Note:

The OVS acts like a standard switch does and carries out the same switching logic you would find with, for example, a physical Catalyst switch. LAN switches receive Ethernet frames and then make a switching decision: either forward the frame to some other ports or ignore the frame. To accomplish this primary mission, switches perform three actions:

  1. Decide whether to forward a frame or filter (not forward) a frame based on the destination MAC address.
  2. Preparing to forward frames by learning MAC addresses by examining the source MAC address of each frame received by the switch
  3. Preparing to forward only one copy of the frame to the destination by creating a (Layer 2) loop-free environment with other switches by using Spanning Tree Protocol (STP)

Linux works with namespace. These are the same namespaces that form the underlying technology of containers. See how we added a new namespace called finance. We will also create a new veth pair. A veth pair is like a virtual cable. What goes in one end must come out the other end. Consider a veth pair linked to a standard physical cable but in virtual work.

Remember, when we discuss a new namespace, we need to move the links around of the veth pair to the corresponding namespace. In this setup, we have configured only one namespace, finance, but we also have the default namespace of root. The OVS switch, by default, is in the root namespace and can be used to connect disparate namespaces. The OVS also uses VXLAN to extend Layer 2 over IP. 

Virtual Switch: Three Distinct Types

To enable virtual switching, there are three virtual switches in a VMware environment: a) a standalone virtual switch, b) distributed virtual switch, and c) 3rd party distributed switch, such as the Cisco Nexus 1000v. These virtual switches have ports, and the hypervisor presents what looks like an NIC to every VM. The VMs are now isolated, thinking they have a virtual Ethernet adapter. Even if you change the physical cards in the server, the VM does not care as it does not see the physical hardware.

The diagram displays a virtualized environment with two sets of VMs, blue and red, attached to corresponding Port Groups. Port Groups are nothing special, simply management groups based on configuration templates. You may freely have different VMs in Port Groups in the same VLAN communication. The virtual NIC is a software construct emulated by the hypervisor. 

Virtual Switch
Diagram: Virtual Switch

 

Virtual switching and the virtual switch 

The standalone virtual switch lacks advanced features but gains in performance. It is not a feature-rich virtual switch and supports standard VLAN and control planes consisting of CDP. Each ESXi host has an independent switch comprised of its data and control planes. Every switch is a separate management entity.

The Distributed virtual switch (vDS) is purely a management entity and minimizes the configuration burden of the standalone switch. It’s a template you configure in vCenter, applied to individual hosts. It lets you view the entire network infrastructure as one object in the vCenter. The port and network statistics assigned to the VM move when the VM moves.

Virtual distributed switch

The vDS is a simple management template, and each ESXi host has its control and data plane with unique MAC and forwarding rules. The local host proxy switch performs packet forwarding and runs control plane protocols. One major vDS drawback is if vCenter drops, you cannot change anything on the local hosts.

As a best design practice, most engineers use the standard standalone switch for management traffic and vDS for VM traffic on the same host. Each virtual switch (vS and vDS) must have its uplinks. You need at least two uplinks for each switch for redundancy; already, you need four uplinks, usually operating at 10Gbps.

  • VMware-based software switches don’t follow 802.1 forwardings or operate Spanning Tree Protocol (STP). Instead, they use special tricks to prevent forwarding loops, such as Reverse Path Forwarding (RPF) checking on the source MAC address.

 

Lab Guide: Virtual Switch and the Linux Bridge

The Linux Bridge is a virtual device connecting multiple network interfaces, allowing them to operate as a single network segment. Similar to the Open vSwitch, the Linux bridge uses veth pairs.

Note:

– The Linux Bridge supports STP, which prevents network loops and ensures efficient packet forwarding.

– The Linux Bridge can handle Virtual LANs (VLANs) and allows for creating VLAN-aware bridges.

– Configuring VLANs with the Linux Bridge enables network segmentation and improved traffic management.

Linux Bridge Utilities:

Linux Bridge Utilities, or brctl, can create and manage software-based network bridges in Linux. These utilities allow multiple network interfaces to be connected at the data link layer, creating a virtual bridge that facilitates communication between different network segments. 

Virtual Switches, like physical switches, run STP to prevent loops.

The Cisco Nexus 1000v

Third-party virtual switching may also be plugged in, and the Nexus 1000v is the most popular. It operates with a control plane, a Virtual Supervisor Module (VSM), and distributed data plane objects, a Virtual Ethernet Module (VEM). Cisco initially operated all control plane protocols on the VSM, including LACP and IGMP snooping. It severely inhibited scalability; now, control plane protocols are distributed locally to the VEMs.

It’s a feature-rich software switch and supports VXLAN. You may also use the TCP-established keyword, which is unavailable in VMware versions. Some of these products are free; others require an enterprise plus license. If you want a free, feature-rich, standards-based switching product, use Open vSwitch, licensed under Apache 2.0.

virtual switching
Diagram: Virtual switching with Nexus 1000v

Open vSwitch

What is OVS? Open vSwitch is similar to VMware virtual switch and Cisco Nexus 1000v. It operates as a soft switch within the hypervisor or as the control stack for switching silicon. For example, you can flash your device with OpenWrt and install the Open vSwitch package from the OpenWrt repository. Both are standards-based.

The following displays the ports on an Open vSwitch; as you can see, several bridges are present. These bridges are used to forward packets between hosts. It has a great feature set for a complimentary switch, including VXLAN, STT, Layer 4 hashing, OpenFlow, etc.

Openvswitch

Virtual Switching: Integration with the ToR Switch

The virtual switch needs to connect to a ToR switch. So, even though the connection is logical, there must be a physical connection between the virtual switch and the ToR switch. Preferably a redundant connection for high availability. However, what happens with the VM on the virtual switch that needs to move?

Challenges occur when VMs must move, resulting in an enormous VLAN sprawl. All VLANs configured on all uplinks to the ToR switch create one big switch. What can be done to reduce this requirement? The best case would be integrating a solution synchronizing the virtual and physical worlds. Any changes in the virtual world are automatically provisioned in the physical world.

Ideally, we would like the list of VLANs configured on the server-facing port adjusted dynamically as VMs are moved around the network. For example, if VM-A moves from location-A, we want its VLAN removed from the previous location and added to the new location-B. Automatic VLAN synchronization reduces the flooding of Broadcast to servers, lowering the CPU utilization on each physical node.

Virtual switch: The different vendors

Arista, Force 10, and Brocade have VMware networking solutions on their ToR switches. Arista’s solution is VMtracer, natively integrated with EOS, and works across all their data center switches. VMtracer gives you better visibility and control over VMs. It sends and receives CCDP or LLDP packets to extract VM information, including VLAN numbering per server port.

When a VM moves, it can remove the old VLAN and add the new VLAN to the new ports. Juniper and NEC use their Network Management systems to keep track of VMs and update the list of VLANs accordingly.

Cisco utilizes VM-FEX and a new feature called VM tracker, which is available on NX-OS. Cisco’s VM tracker interacts with vCenter SOAP API. It works with vCenter to identify the VLAN requirements of each VM to track their movements from one ESXi host to another. It relies on Cisco Discovery Protocol (CDP) information and does not support Link Layer Discovery Protocol (LLDP).

Edge Virtual Bridging (EVB)

An IEEE standard way to solve this is called EVB, and Juniper supports it, as HP ToR switches. VMware virtual switches do not currently support it. To implement EVB in a VMware virtualized environment, you must change the VMware virtual switch to either HP or Juniper. EVB uses VLANs or Q-in-Q tagging between the hypervisor and the physical switch. They introduced a new protocol called VSI that uses VDP as its discovery protocol.

The protocol runs between the virtual switch in the hypervisor and the adjacent physical switch, enabling the hypervisor to request information (for example, upon VM move) from the physical switch. EVB follows two paths a) 802.1qbg and b) 802.1qbh. 802.1qbg is also called VEPA (Virtual Ethernet Port Aggregation), and 802.1qbh is also known as VN-Tag (Cisco products support VN-Tag). Both are running in parallel and attempt to provide consistent control for VMs.

 

Limit core flooding

To reduce flooding in the network core, you need a protocol between the switches, allowing them to exchange information about which VLANs are in use. Cisco uses VTP and designs it carefully. There is a standard layer 2 messaging protocol called Multiple VLAN Registration Protocol (MVRP), but many vendors do not implement it.

It automates the creation and deactivation of VLANs by allowing switches to register and de-register VLAN identifiers. Unlike VTP, it does not use a “client” – “server” model. Instead, MVRP advertises VLAN information over 802.1q trunks to connected switches with MVRP enabled on the same interface. The neighboring switch receives the MVRP information and builds a dynamic VLAN table. MVRP is supported on Juniper Networks MX Series routers and EX Series switches.

Conclusion:

Virtual switches have become indispensable components in modern network infrastructures. Their ability to enhance network performance, simplify management processes, and provide advanced security features make them essential for organizations of all sizes. By leveraging the benefits and features of virtual switches, network administrators can create robust and efficient networks, enabling seamless connectivity and optimizing overall network performance.