VMware ESX is a hypervisor from VMware which helps you to virtualize your infrastructure. Refer this link for more details.
Virtualizing the ESX hypervisor (i.e. running it as a VM) itself is a
great way to experiment with different setups and scenarios without
needing physical lab setup to perform the same. One can create his own
mini-lab on the virtual ESX setup, add networking and storage to it, and
thus can simulate a wide variety of test scenarios. Virtualizing the
ESX also gives user the freedom to clone/snapshot the ESX. Thus, user
can simply bring up this virtualized ESX on some other host and he has
his whole lab setup, up and running within a few minutes.
VMware ESX has the capability of running “ESX as a VM” on top of the
physical ESX host. This virtual ESX host has all the capabilities as
that of the physical host. Thus, one can have a VM running inside a VM
(virtual ESX) present on physical server.
VM’s communicate with each other through the virtual switches (vswitch)
provided by ESX. Considering the case of Virtual ESX on the physical
ESX, one gets the following connectivity between the vswitches:-
Looking at the above setup, let’s have a scenario where machine A
wants to communicate to machine B. Packets from machine A needs to
travel through vswitch1 and vswitch2 to reach to machine B. Assuming
there are no VLANs configured on the switches and all ports are a part
of default VLAN (native VLAN), one might say that A will be able to
communicate with B. But in reality, A is unable to communicate with B.
If A sends a ping request to B, then only ARP resolution takes place
(mac address of B gets learn at A). Ping’s reply is not received by A.
The workaround to facilitate this communication is by putting vswitch1
on promiscuous mode. Let’s discuss about the cause of failure and how
promiscuous mode solves the issue.
Cause of failure:-
VMware vswitch does not have the capability of mac learning. It
maintains a table of the port to mac binding only for the VM’s present
on the vswitch. Anything except that, it forwards through the uplink
(physical NIC).
Promiscuous mode:-
It is a mode of operation which allows network device to intercept
and read each network packet that arrives in its entirety. Enabling
promiscuous mode on a switch makes the switch work like a hub.
How vswitch works while in non-promiscuous mode (default):-
For ARP request, since it’s a broadcast, following steps take place:-
- Machine A sends an ARP broadcast.
- vswitch1 forwards this broadcast packet to all members present in that VLAN as well as on Physical NIC. This broadcast packet is received both by vswitch2 and a Physical Switch.
- On receiving the ARP request vswitch2 again broadcasts it and now it is received by machine B.
- Machine B sends a unicast reply. This reply is seen by vswitch2.
- Since the destination is not in its table, vswitch2 forward this response through physical NIC and is received at vswitch1.
- Vswitch1 finds the destination mac-address entry in its table and it forwards the reply to machine A. Hence, machine A learns the mac-address of machine B.
Next, if one tries to ping to machine B from machine A, following steps take place:-
- Machine A sends a ping request with destination mac-address of machine B (which it learnt from ARP broadcast).
- Since it is a unicast request, vswitch1 tries to find the destination mac-address entry in its table. It is unable to find that entry and hence it sends that packet out to physical switch through the NIC. This packet is not forwarded to vswitch2 and hence machine A is unable to communicate with machine B.
When vswitch1 is in promiscuous mode:-
ARP request is resolved in the same way as it’s resolved for non-promiscuous mode discussed above.
For ping request/response, following actions take place:-
- Unicast ping request is sent by machine A to machine B. This is received by vswitch1.
- Since vswitch1 is in promiscuous mode, all the ports on the switch are able to see the traffic of other ports who are part of the same VLAN. Therefore, this packet is sent out to both physical port and vswitch2.
- Vswitch2 finds port to mac entry for destination machine B and forwards the packet to machine B.
- Machine B replies to ping request. This packet is received at vswitch2.
- Since no entry for destination mac is found on vswitch2, it is forwarded to vswitch1.
- Vswitch1 is able to find the entry for destination mac in its table, and hence the response is forwarded to A. Thus, the response from B is received by A.
With promiscuous mode enabled, VM’s on the internal ESX host are able to communicate with the outside world.
However, drawback of promiscuous mode is that it will lead to
increase in the traffic on vswitch and it will degrade the performance
of the switch. One solution could be to put only the port which is
attached to vswitch2 in promiscuous mode. But then, A needs to be a part
of the same VLAN which that port allows. Another solution could be to
use the advanced virtual switches available in the market which also
perform mac learning. Some examples of the advanced switches are VMware
DVS, Cisco’s N1KV, IBM DOVE, etc.
References:-
No comments:
Post a Comment