Best practice for NIC cards and vSwitches design

Version 3

    Introduction

    In ESX the networking is quite different compared with VMware Server or Workstation: no NAT, host only... only "bridged" with a new concept of vSwitch.

    Think at each vSwitch like a normal switch: it doesn't do routing, natting and firewall, it do not have an IP (unless real switches sometime does have it) can it can be connected to other (v)Switches using uplink (in ESX each physical NIC could be an uplink).

     

    Each vSwitch can contain one or more port group that can be used for VM networking (each VM will have one or more vNIC), vmkernel networking (for VMotion, FT, iSCSI, NAS, ...) or Service Console networking (only for ESX).

    Note that there are different type of vNIC, for more info see: Virtual NIC type

     

    For more information on networking in ESX:

    VMware Virtual Networking Concepts - http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf

     

    -


     

    New features in vSphere

    With vSphere there are several network improvement and changes:

    • with ESX Enterprise Plus (and vCenter Server) there is a new concept of DVS - Virtual Switch (vSwitch) vs Distributed Virtual Switch (DVS)

    • with ESX Enterprise Plus (and vCenter Server) the DVS could be change with 3rd part switch (like Cisco Nexus 1000v)

    • with ESX Advanced, Enterprise, Enterprise Plus there are also the new vShield Zones (useful for firewall control).

     

    All those features are available only with new vSphere products.

     

    -


     

    vSwitches design

    For a right design several informations are required:

    • kind of COS/vmkernel networking: COS/Management VMotion, FT, software iSCSI or NAS storage

    • kind of VM networks: different physical network (like DMZ network), different logical network, VLAN usage

    • number of pNIC of each ESX

     

    The key things to consider are redundancy, performance, and security.

    Usually, to have network HA, on each vSwitch are required at least two pNIC (and one pNIC could be assigned only to one vSwitch).

    For this reason with few pNICs the design will probably be simple (but also limited).

    But some kind of traffic is in clear (for example VMotion and iSCSI traffic), so for security reason could be necessary to isolate from other traffics and more vSwitches could be preferred.

    VLAN can be a solution to isolate different networks without the overhead of use different physical switches.

    But of storage traffic the best choice is use a dedicated storage network with different physical switches that the other networks.

     

    There is also some great info on vSwitches design: