Solved: Single vswitch with many port groups vs multiple v...

java_cat33 · ‎04-15-2008

I always set the configuration settings (adapters assigned, load balancing, traffic shaping etc) based upon a port group of a vswitch, not on the vswitch itself (where permissions propogate from the vswitch if settings aren't configured manually on the port group). So what is the advantage of having multiple vswitches apposed to many port groups with different configurations? Assuming you have many NIC's (in my case 😎 and stacks of ports assigned to the vswitch.

Are there performance benefits?

Also...

What about multiple port groups for standard VM traffic (PROD) or DEV vs single port group for this traffic?

Performance benefits? E.G - if you have 4 nics for standard VM traffic - Create 1 port group (with 4 nics), or create 2 port groups (2 nics per group?)

I feel that there is less management etc using one port group (for standard VM traffic on the same VLAN), assuming there was no requirement to have a difference in traffic shaping in the port groups?

Any comments or feedback?

Message was edited by: java_cat33

Texiwill · ‎04-16-2008

Hello,

This is an endless debate.... I would read through the following:

iSCSI Isolation: http://communities.vmware.com/message/906562#906562

Network Design/Security:

http://communities.vmware.com/thread/111877?tstart=0

http://communities.vmware.com/message/792421

http://communities.vmware.com/message/788939

If you search the forums you will come up with as many opinions as there are people. It all boils down to:

1) how much performance you want, separate vSwitches, implies more in use pNIC than just load balancing alone in most cases.

2) how much security you want, separate vSwitches gives overall a better security stance. Isolation is quite a bit better with this type of multi vSwitch design as it prepares for future and current attacks.

3) how much redundancy you need, separate vSwitches with 2 pNICs per vSwitch gives a lot of redundancy. I have found that more than 2 pNICS per vSwitch can cause issues when links go down. Load balancing depends entirely on the method you use, and how many VMs are in use.

Most people I have seen split their traffic. If you are at a highly secure location you should split your traffic, else follow your security policy, etc. But I also find pNIC segragation gives me better overall performance.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

kjb007 · ‎04-15-2008

I've found it better to bond no more than 2 NICs together. I haven't seen much of a gain doing so, so I limit my switches to include a bond active/active pair of NICs. If I have the NICs, then I prefer to separate my traffic with switches as opposed to portgroups, and I find it cleaner to use multiple switches as opposed to multiple portgroups on a single switch. Also, in case of troubleshooting, I find it easier to deal with 2 NICs, instead of 4, for the switch.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

ac57846 · ‎04-15-2008

I'm definitely a one vSwitch guy too, I like lots of fault tolerance in my pNICs

I also like my service console and production networks to be on the same vSwitch and dependent upon the same pNICs so that an HA isolation only occurs if the production network is also isolated.

Attached is my default network design, it is my start piont for discussing with clients what they need.

Texiwill · ‎04-16-2008