Total Pageviews

My YouTube Channel

Sunday, 30 March 2014

Traffic Filtering and DSCP Marking in vSphere 5.5

In a vSphere distributed switch 5.5 and later, by using the traffic filtering and marking policy, you can protect the virtual network from unwanted traffic and security attacks or apply a QoS tag to a certain type of traffic.

The traffic filtering and marking policy represents an ordered set of network traffic rules for security and for QoS tagging of the data flow through the ports of a distributed switch. In general, a rule consists of a qualifier for traffic, and of an action for restricting or prioritizing the matching traffic.

The vSphere distributed switch applies rules on traffic at different places in the data stream. The distributed switch applies traffic filter rules on the data path between the virtual machine network adapter and distributed port, or between the uplink port and physical network adapter for rules on uplinks.

This is in additional to being able to tag traffic and pass Quality of Service (QoS) or Differentiated services Code Point (DSCP) values up to the physical network for prioritization.

ACL’s allow you to create fine grain control of what traffic is allowed in or out of a VM, set of VM’s or an entire port group. The feature is configured at the port group level and allows for an unlimited number of rules. The rules are processed in the VMkernel, meaning no external appliance is needed which equates to no single point of failure and faster processing of rules and in some cases reduced network traffic since rule processing happens before the traffic leaves the ESXi host.

You can create this at the VM Portgroup Level and Uplink Portgroup Level.

How to Create Traffic Filtering Rules

1. Traffic filtering refers to the ability to allow or disallow different types of traffic. vSphere Distributed Switch can also pass class of service information on to a physical switch with Traffic Filtering. Begin by logging on to vSphere Web Client and navigate to the [Networking] section.

2. Click on a port group that is on the distributed switch. In this example, we select [Marketing-Test]. Click on [Manage] and click on [Edit].

3. Click on [Traffic Filtering and Marking], and then change the Status to [Enabled]. Then click on the Add [+] icon to set the filtering rule.

4. By default, “Tag” is selected as the preferred action. Change it to [Drop] so as to add an access control list to the port group.

5. Select the type of traffic direction preferred, here we retain the default selection. Then click on the Add [+] icon and click on [New IP Qualifier].

The VDS supports packet classification, based on the following three different types of qualifiers:
  • MAC SA and DA qualifiers
  • System traffic qualifiers
  • vSphere vMotion, vSphere management, vSphere FT, and so on
  • IP qualifiers
  • Protocol type, IP SA, IP DA, and port number
After the qualifier has been selected and packets have been classified, users have the option to either filter or tag those packets. When the classified packets have been selected for filtering, users have the option to filter ingress, egress, or traffic in both directions.

6. Here you have options to change protocols, source ports and destination ports. We change the Protocol from TCP(6) to [ICMP (1)].

7.  In this example, we retain the default Source Address and change the Destination Address. We enter the IP address of a server named esxi01, apply the changes and click on [OK].

8. The new qualifier has been successfully created. Click on [OK].

9. We now opened the VM Console and attempt to ping esxi01. Notice that the pings are failing because we the traffic filter is in place.

10. Change the Action to [Allow] and click on [OK].

11. We switch back to the VM Console and see that the pings are now successful. To summarize, traffic filtering gives the ability to do create Access Control Lists at the Distributed Port Group level.