VCAP6-DCV Deployment – Objective 3.1 – Implement and Manage vSphere Standard Switch (vSS) Networks

Main Study Page

Objectives 3.1 are broke down as the following

  • Create and manage vSS components according to a deployment plan:
    • VMkernel ports on standard switches
    • Advanced vSS settings
  • Configure TCP/IP stack on a host
  • Create a custom TCP/IP stack
  • Configure and analyze vSS settings using command line tools

Create and manage vSS components according to a deployment plan

Creating a standard vSwitch (vSS) is straight forward and can be done via the Web Client or the CLI.  I will first cover the Web Client here in this section then cover the CLI in a later section.  Most admins would have created many vSS so I will not cover that in too much detail but I will go over some of the advanced vSS settings following the objectives.

Web Client – Host – Manage – Networking – Virtual Switches – Add Host Networking.  I will create a new vSS with a virtual machine port group.  Other options are to create a port group that contains a VMKernel Network Adapter or a Physical Network Adapter.  I want to create a new switch so I select New Standard Switch



The wizard will then prompt to add a physical uplink to the vSS, this can be added at a later point or be added now.  For me vmnic4 is available to use



I then need to add a label and a VLAN ID to the port group.  I have selected a virtual machine port group so this VLAN will need to match my relevent VLAN for my virtual machines


To create a VMKernel interface the process is very similar, in this example I will use the same vSS as the wizard created above.  Web Client – Host – Manage – Networking – VMKernel Adaptors – Add.  Select VMKernel Network Adapter and I select the vSS I created above vSwitch5 



I now need to label and give the interface a VLAN ID that is relevant to my network.  I will leave the TCP/IP stack to default for this example, I will create a new TCP/IP stack in the next section.  TCP/IP stacks can be used for certain functions or applications that can have its own DNS and default gateway settings.  One example can be used for vMotion, a dedicated TCP/IP stack can be used for this and no other funtion such as VSAN traffic.  If a TCP/IP stack is created and interfaces in the default TCP/IP stack will be disabled.

Choose the service the VMKernel interface will be used for, in my example I select vMotion and give the interface an IP address to match the relevant VLAN / subnet



Now in my vSS I have a virtual machine prot group and a VMKernel port group using the same physical uplink.  In production these may need to be separated by VLAN or use different uplinks


Once a vSS has been created the advanced settings can be modified Web Client – Host – Manage – Networking – Virtual Switches – vSS – Edit Settings.  Here I can change the MTU settings, for example Jumbo Frames set 9000, change here to set it at the vSS level it will still need to be set at a port group level for a VMKernel adaptor.  Set the ID from 1-4094 for vSwitch tagging or select ID 4095 for in guest tagging allowing any VLAN to be passed from the guest VM, finally leave to 0 to not pass any VLANs on the vSwitch.


Next section is the security settings

  • Promiscuous mode – set to Reject by default – guest adapters in promiscuous mode will receive all frames passed on the virtual switch that are allowed under the VLAN
  • MAC address changes – set to Accept by default – by accepting ESXi accepts request to change the effective MAC address to a different one.  Reject will block the ESXi host from accepting this request to change the MAC and the port that the VM used to send the request will be disabled until the effective MAC address matches the initial MAC address
  • Forged transmit – set to Accept by default – when set to accept ESXi does not compare source and effective MAC address, to protect against MAC impersonation set to Reject which will allow the host to compare source MAC address from the guest VM to its effective MAC for its adapter, if they dont match the packets will be dropped



Next section allows for traffic shaping if required


Finally set the Teaming and Failover options

  • Route based on IP hash – selects an uplink based on a hash of the source and destination IP addresses of each packet.  Requires physical switch to be configured with EtherChannel
  • Route based on the originating virtual port – selects an uplink based on the virtual port IDs on the switch. After the virtual switch selects an uplink for a virtual machine or a VMkernel adapter, it always forwards traffic through the same uplink for this virtual machine or VMkernel adapter.
  • Route based on source MAC hash – selects an uplink based on a hash of the source Ethernet
  • Use explicit failover order – no load balancing is performed here but is rather selected from a list of active adapters


Set the Network Failure Detection

  • Link status only – relies only on the link status that the network adapter provides. This option detects failures such as removed cables and physical switch power failures
  • Beacon probing – Sends out and listens for beacon probes on all NICs in the team, and uses this information, in addition to link status, to determine link failure.ESXi sends beacon packets every second


Finally set to Notify switches yes or no this notifies the physical switch in the event of a failover and Failback to yes or no which decides if the physical adapter is returned to active status after a recovered failure


Configure TCP/IP stack on a host

By default TCP/IP stacks are configured – default, vMotion and Provisioning.  Additional TCP/IP stacks can be created to forward networking traffic through a custom application, VMKernel adapters can then be assigned to the stack.


Default TCP/IP stack can be edited.  Web Client – Host – Manage – Networking TCP/IP configuration – System Stack – Edit TCP/IP Stack Configuration.  From here its possible to add custom DNS settings and default gateway.



The max number of connections can also be set


Create a custom TCP/IP stack

To create a new TCP/IP stack I must use the CLI, once connected to the host I run the following

>esxcli network ip netstack add -N=custom_vmotion



Configure and analyze vSS settings using command line tools

A vSS can be configured using the CLI, the following example will create a new vSS called vSwitch6 with the MTU setting of 9000, a port group called Test VMs, vmnic4 added as an uplink and a new VMKernel interface vmk6

>esxcli network vswitch standard add –vswitch-name=vSwitch6

>esxcli network vswitch standard set –mtu 9000 –vswitch-name=vSwitch6

>esxcli network vswitch standard portgroup add –portgroup-name=”Test VMs” –vswitch-name=vSwitch6

>esxcli network vswitch standard uplink add –uplink-name=vmnic4 –vswitch-name=vSwitch6

>esxcli network ip interface add –interface-name=vmk6 –portgroup-name=”Test VMs”



See VMware CLI reference guide here for more options

To analyse vSS setting using the CLI also see the reference guide, the following are a pick of some of those commands.  To retrieve basic networking information for VMKernel interfaces run the following

>esxcli network ip interface list


To see the IP address for a specific VMKernel adapter run the following

>esxcli network ip interface ipv4 get -i vmk3


For netstat information run the following

>esxcli network ip connection list


To view information on configured vSS run the following

>esxcli network vswitch standard list


To see advanced options for a vSS run the following

>escli network vswitch standard policy failover get -v vSS_name

>escli network vswitch standard policy security get -v vSS_name

>escli network vswitch standard policy shaping get -v vSS_name


Leave a comment

Your email address will not be published. Required fields are marked *