VMware Cloud Community
wpatterson9
Contributor
Contributor
‎02-11-2016 07:20 AM
Jump to solution

Hopefully a Smiple vDS Question

We have a security requirement in our environment to limit the amount of virtual ports in each port group to what's needed... essentially, no unused virtual ports within the port group.  Ridiculousness aside, if i change the number of ports available will this cause interruption?  The allocation of ports isn't sequential so I would think that the VMs would have to be shuffled to new ports.  Mostly concerned with the vStorage and vMotion portgroups.  Thanks all for any input/help!

1 Solution

Accepted Solutions
kermic
Expert
Expert
‎02-11-2016 08:02 AM
Jump to solution

If I got it right then the question could be rephrased like:

I do have a dvPortgroup with static binding, fixed (non-elastic) in size of 128 ports

Currently the portgroup properties shows dvPorts from 501 to 628 belonging to this portgroup

There are 2 VMs (with single vNIC each) connected, occupying ports 544 and 601

If I decrease the number of ports in this port group, will there be a new / different range of ports assigned to my portgroup and will my VMs be reconnected to different ports?

Just tried it out in my own environment (5.5) - after changing the number of ports on my portgroup to 2 it only shows now in portgroup properties those 2 previously occupied ports, if referring to example above - 544 and 601. No reconnects / disconnects / shuffling around.

Portgroup in dvSwitch is nothing but a container, that allows applying same settings to bunch of ports.

And just a bit for further thoughts - on dvSwitch a port can exist without a portgroup. If you are concerned about security, you probably should pay attention also to who can connect things to individual ports and change settings on them.

Hope this helps.

View solution in original post

3 Replies
kermic
Expert
Expert
‎02-11-2016 08:02 AM
Jump to solution

If I got it right then the question could be rephrased like:

I do have a dvPortgroup with static binding, fixed (non-elastic) in size of 128 ports

Currently the portgroup properties shows dvPorts from 501 to 628 belonging to this portgroup

There are 2 VMs (with single vNIC each) connected, occupying ports 544 and 601

If I decrease the number of ports in this port group, will there be a new / different range of ports assigned to my portgroup and will my VMs be reconnected to different ports?

Just tried it out in my own environment (5.5) - after changing the number of ports on my portgroup to 2 it only shows now in portgroup properties those 2 previously occupied ports, if referring to example above - 544 and 601. No reconnects / disconnects / shuffling around.

Portgroup in dvSwitch is nothing but a container, that allows applying same settings to bunch of ports.

And just a bit for further thoughts - on dvSwitch a port can exist without a portgroup. If you are concerned about security, you probably should pay attention also to who can connect things to individual ports and change settings on them.

Hope this helps.

wpatterson9
Contributor
Contributor
‎02-11-2016 08:10 AM
Jump to solution

Spot-on, kermic and thanks for the quick reply and taking the time to test this for us.  This helps and i'll also be looking into your suggestions for controlling who can make configuration changes relative to your comments. 

0 Kudos
MKguy
Virtuoso
Virtuoso
‎02-11-2016 08:19 AM
Jump to solution

If you're concerned about things like this then you should set the "block all ports" setting on the port groups and override the individual ports setting for your active VMs.

That way, even if someone connects a vNIC to a free port, it won't be able to communicate with anything as long as the block setting is not manually overridden on the dvPort. We do this on our DMZ port groups as well.

-- http://alpacapowered.wordpress.com