Note:- You cannot edit or delete the default switching profiles in the NSX Manager. You can create custom switching profiles instead.
These are the default switching profiles in NSX-T 2.2
QoS
QoS provides high-quality and dedicated network performance for preferred traffic that requires high bandwidth. The QoS mechanism does this by prioritizing sufficient bandwidth, controlling latency and jitter, and reducing data loss for preferred packets even when there is a network congestion. This level of network service is provided by using the existing network resources efficiently.
For this release, shaping and traffic marking namely, CoS and DSCP is supported. The Layer 2 Class of Service (CoS) allows you to specify priority for data packets when traffic is buffered in the logical switch due to congestion. The Layer 3 Differentiated Services Code Point (DSCP) detects packets based on their DSCP values. CoS is always applied to the data packet irrespective of the trusted mode.
NSX-T trusts the DSCP setting applied by a virtual machine or modifying and setting the DSCP value at the logical switch level. In each case, the DSCP value is propagated to the outer IP header of encapsulated frames. This enables the external physical network to prioritize the traffic based on the DSCP setting on the external header. When DSCP is in the trusted mode, the DSCP value is copied from the inner header. When in the untrusted mode, the DSCP value is not preserved for the inner header.
Note:- DSCP settings work only on tunneled traffic. These settings do not apply to traffic inside the same hypervisor.
You can use the QoS switching profile to configure the average ingress and egress bandwidth values to set the transmit limit rate. The peak bandwidth rate is used to support burst traffic a logical switch is allowed to prevent congestion on the northbound network links. These settings do not guarantee the bandwidth but help limit the use of network bandwidth. The actual bandwidth you will observe is determined by the link speed of the port or the values in the switching profile, whichever is lower.
The QoS switching profile settings are applied to the logical switch and inherited by the child logical switch port.
How to Create Custom QoS Switching Profile
1. Login to NSX Manager UI
2. Switching > Switching Profiles > Add > QoS
3. Now configure the details as required
DSCP = Select either a Trusted or Untrusted option from the Mode drop-down menu.
When you select the Trusted mode the inner header DSCP value is applied to the outer IP header for IP/IPv6 traffic. For non IP/IPv6 traffic, the outer IP header takes the default value. Trusted mode is supported on an overlay-based logical port. The default value is 0.
Untrusted mode is supported on overlay-based and VLAN-based logical port. For the overlay-based logical port, the DSCP value of the outbound IP header is set to the configured value irrespective to the inner packet type for the logical port. For the VLAN-based logical port, the DSCP value of IP/IPv6 packet will be set to the configured value. The DSCP values range for untrusted mode is between 0 to 63. 0 has highest priority.
CoS = CoS is supported on VLAN-based logical port. CoS groups similar types of traffic in the network and each type of traffic is treated as a class with its own level of service priority. The lower priority traffic is slowed down or in some cases dropped to provide better throughput for higher priority traffic. CoS can also be configured for the VLAN ID with zero packet.
The CoS values range from 0 to 7, where 0 is the best effort service.
Ingress = Set custom values for the outbound network traffic from the VM to the logical network.
You can use the average bandwidth to reduce network congestion. The peak bandwidth rate is used to support burst traffic and the burst duration is set in the burst size setting. You cannot guarantee the bandwidth. However, you can use the setting to limit network bandwidth. The default value 0, disables the ingress traffic.
Ingress Broadcast = Set custom values for the outbound network traffic from the VM to the logical network based on broadcast.
The default value 0, disables the ingress broadcast traffic.
Egress = Set custom values for the inbound network traffic from the logical network to the VM.
The default value 0, disables the egress traffic.
IP Discovery
IP Discovery uses DHCP snooping, ARP snooping, or VM Tools to learn the VM MAC and IP addresses. After the MAC and IP addresses are learnt, the entries are shared with the NSX Controller to achieve ARP suppression. ARP suppression minimizes ARP traffic flooding within VMs connected to the same logical switch.
DHCP snooping inspects the DHCP packets exchanged between the VM DHCP client and the DHCP server to learn the VM IP and MAC addresses.
ARP snooping inspects the outgoing ARPs and GARPs of the VM to learn the IP and MAC addresses. ARP snooping is applicable if the VM uses a static IP address instead of DHCP.
VM Tools is software that runs on an ESXi-hosted VM and can provide the VM's configuration information including MAC and IP addresses. This IP discovery method is available for VMs running on ESXi hosts only.
Switch Security
Switch security provides stateless Layer2 and Layer 3 security by checking the ingress traffic to the logical switch and dropping unauthorized packets sent from VMs by matching the IP address, MAC address, and protocols to a set of allowed addresses and protocols. You can use switch security to protect the logical switch integrity by filtering out malicious attacks from the VMs in the network.
You can configure the Bridge Protocol Data Unit (BPDU) filter, DHCP Snooping, DHCP server block, and rate limiting options to customize the switch security switching profile on a logical switch.
BPDU Filter = When the BPDU filter is enabled, all of the traffic to BPDU destination MAC address is blocked. The BPDU filter when enabled also disables STP on the logical switch ports because these ports are not expected to take part in STP.
BPDU Filter Allow List = Click the destination MAC address from the BPDU destination MAC addresses list to allow traffic to the permitted destination.
DHCP Server Filter = DHCP Server Block blocks traffic from a DHCP server to a DHCP client. Note that it does not block traffic from a DHCP server to a DHCP relay agent.
DHCP Client Block prevents a VM from acquiring a DHCP IP address by blocking DHCP requests.
Block Non-IP Traffic = Toggle the Block Non-IP Traffic button to allow only IPv4, IPv6, ARP, GARP and BPDU traffic.
The rest of the non-IP traffic is blocked. The permitted IPv4, IPv6, ARP, GARP and BPDU traffic is based on other policies set in address binding and SpoofGuard configuration.
By default, this option is disabled to allow non-IP traffic to be handled as regular traffic.
Set a rate limit for the ingress or egress Broadcast and Multicast traffic.
Rate limits = Rate limits are configured to protect the logical switch or the VM from for example, broadcast traffic storms.
To avoid any connectivity problems, the minimum rate limit value must be >= 10 pps.
SpoofGuard
A SpoofGuard policy blocks traffic determined to be spoofed.
SpoofGuard is a tool that is designed to prevent virtual machines in your environment from sending traffic with an IP address it is not authorized to end traffic from. In the instance that a virtual machine’s IP address does not match the IP address on the corresponding logical port and switch address binding in SpoofGuard, the virtual machine’s vNIC is prevented from accessing the network entirely. SpoofGuard can be configured at the port or switch level.
There are several reasons SpoofGuard might be used in your environment:
- Preventing a rogue virtual machine from assuming the IP address of an existing VM.
- Ensuring the IP addresses of virtual machines cannot be altered without intervention – in some environments, it’s preferable that virtual machines cannot alter their IP addresses without proper change control review. SpoofGuard facilitates this by ensuring that the virtual machine owner cannot simply alter the IP address and continue working unimpeded.
- Guaranteeing that distributed firewall (DFW) rules will not be inadvertently (or deliberately) bypassed – for DFW rules created utilizing IP sets as sources or destinations, the possibility always exists that a virtual machine could have it’s IP address forged in the packet header, thereby bypassing the rules in question.
- MAC SpoofGuard - authenticates MAC address of packet
- IP SpoofGuard - authenticates MAC and IP addresses of packet
- Dynamic Address Resolution Protocol (ARP) inspection, that is, ARP and Gratuitous Address Resolution Protocol (GARP) SpoofGuard and Neighbor Discovery (ND) SpoofGuard validation are all against the MAC source, IP Source and IP-MAC source mapping in the ARP/GARP/ND payload.
MAC Management
The MAC management switching profile supports two functionalities:
- MAC learning and
- MAC address change.
The MAC address change feature allows a VM to change its MAC address. A VM connected to a port can run an administrative command to change the MAC address of its vNIC and still send and receive traffic on that vNIC. This feature is supported on ESXi only and not on KVM. This property is disabled by default.
MAC learning provides network connectivity to deployments where multiple MAC addresses are configured behind one vNIC, for example, in a nested hypervisor deployment where an ESXi VM runs on an ESXi host and multiple VMs run inside the ESXi VM. Without MAC learning, when the ESXi VM's vNIC connects to a switch port, its MAC address is static. VMs running inside the ESXi VM do not have network connectivity because their packets have different source MAC addresses. With MAC learning, the vSwitch inspects the source MAC address of every packet coming from the vNIC, learns the MAC address and allows the packet to go through. If a MAC address that is learned is not used for a certain period of time, it is removed. This aging property is not configurable.
If you enable MAC learning or MAC address change, to improve security, configure SpoofGuard as well.
MAC learning provides network connectivity to deployments where multiple MAC addresses are configured behind one vNIC, for example, in a nested hypervisor deployment where an ESXi VM runs on an ESXi host and multiple VMs run inside the ESXi VM. Without MAC learning, when the ESXi VM's vNIC connects to a switch port, its MAC address is static. VMs running inside the ESXi VM do not have network connectivity because their packets have different source MAC addresses. With MAC learning, the vSwitch inspects the source MAC address of every packet coming from the vNIC, learns the MAC address and allows the packet to go through. If a MAC address that is learned is not used for a certain period of time, it is removed. This aging property is not configurable.
If you enable MAC learning or MAC address change, to improve security, configure SpoofGuard as well.
For More Info Click Here
No comments:
Post a Comment