Tag Archives: vds

Trouble due to changed vDS default security policy

This posting is ~6 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

A customer contacted me, because he had trouble to move a VM between two clusters. The hosts in the source cluster used vNetwork Standard Switches (vSS), the hosts in the destination cluster vNetwork Distributed Switch (dVS). Because of this, a host in the destionation cluster had an additional vSS with the same port groups, that were used in the source cluster. This configuration allowed the customer to do vMotion without shared storage between the two clusters. The setup worked fine, until the customer moved a specific VM to the new cluster and switched the port group of the VM from the vSS to the vDS: The VM lost the connect to the network. A switch back to the vSS restored network connectivity for the VM. While troubleshooting this issue I noticed that the port was blocked due to a L2 security violation.

dvs_port_blocked

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you take a closer look at the mac-address of the VM with the blocked port, you will notice, that it differs from the usually used range of mac-addresses. Now VMware KB2030982 comes into play. It describes a change to the default security policy for vDS distributed port groups. This table was taken from  VMware KB2030982 and shows the differences between the security settins.

Default SettingvSphere v5.0 and earliervSphere v5.1 and later
Promiscuous ModeRejectReject
MAC Address ChangesAcceptReject
Forged TransmitAcceptReject
dvs_security_settings

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

But why was the VM hit by this change? The VM is the result of a P2V migration and it’s running an application, that relies on a specific mac-address. Because of this, the mac-address of the old physical server was entered in the network driver properties. The changed security settings prevent the usage of forged mac-addresses. The host compares the source mac-address being transmitted by the OS with the effective mac-address for its adapter to see if they match. If not, the hosts drops the packet. To allow the usage of forged mac-addresses, the security settings “Forged transmits”, and optional, “MAC address changes” needs to be changed from “Reject” to “Accept”. You can modify these settigns per port group and there is no need to change it for all port groups of a dVS.

Enable CDP on VMware vSS

This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

The Cisco Discovery Protocol (CDP) is used to discover and advertise the identity and capabilities of a network component to other networking components. CDP a proprietary protocol developed by Cisco, so it’s often used on Cisco switches and routers. The Link Layer Discovery Protocol (LLDP) is a vendor-neutral discovery protocol, which is used e.g. by Hewlett-Packard. With CDP or LLDP you can easily get an overview over a network topology. You can quickly check, e.g. what switches are connected to an uplink. Both protocols use Ethernet Multicast to advertise and receive information. CDP usess the address 01:00:0C:CC:CC:CC, LLDP 01:80:C2:00:00:0E.

Wouldn’t it be nice, if you could use CDP or LLDP on a physical switch to discover the pNICs of you ESXi hosts? Would be great, wouldn’t it? ;) Yes, it’s possible! VMware vNetwork Standard Switches (vSS) support CDP, vNetwork Distributed Switches (vDS) support also LLDP. Maybe you noticed this little blue exclamation mark in the vSphere Web Client.

vsphere_web_client_cdp_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Of course you can use the vSphere Client to watch this information. But in this article I will focus on CDP and the vSphere Web Client. By default a vSS only receives CDP information. This is not a problem if you’re in a Cisco enviroment. If you’re using HP Networking components, e.g. HP ProVision based switches, you will not see CDP information received by the vSS. By default HP ProVision based switches use LLDP and they doesn’t send advertise information by CDP. They only listen to CDP traffic. You have to turn the tables around and tell the vSS so advertise information by CDP.

How to enable CDP on vNetwork Standard Switches?

You can use esxcfg-vswitch esxcli or PowerCLI to enable CDP. To be honest: PowerCLI uses the Get-EsxCli to set the necessary parameters. This is an example using the esxcfg-vswitch command:

~ # esxcfg-vswitch -b vSwitch0
listen
~ # esxcfg-vswitch -B both vSwitch0
~ # esxcfg-vswitch -b vSwitch0
both
~ #

The switch -b prints out the current state. This is by default “listen”. -B sets a CDP mode. -B both enables listening and advertising. The vSS will start immediately to advertise itself using CDP. This is the output from a HP 2510-24G switch, before and after enabling CDP on the vSS:

SW# sh cdp neighbors

 CDP neighbors information

  Port Device ID                     | Platform                     Capability
  ---- ----------------------------- + ---------------------------- -----------
  6    18 a9 05 b8 59 69             |
  23   c0 91 34 74 92 00             | ProCurve J9279A Switch 25... S
  24   c0 91 34 74 92 00             | ProCurve J9279A Switch 25... S

SW# sh cdp neighbors

 CDP neighbors information

  Port Device ID                     | Platform                     Capability
  ---- ----------------------------- + ---------------------------- -----------
  1    esx01.domain.tld              | Releasebuild-1623387VMwar... S
  2    esx01.domain.tld              | Releasebuild-1623387VMwar... S
  5    esx01.domain.tld              | Releasebuild-1623387VMwar... S
  6    18 a9 05 b8 59 69             |
  23   c0 91 34 74 92 00             | ProCurve J9279A Switch 25... S
  24   c0 91 34 74 92 00             | ProCurve J9279A Switch 25... S

SW#

If you want to use PowerCLI, you have to use the Get-EsxCli cmdlet.

$esxcli = Get-EsxCli -VMHost <hostname or IP address>
$esxcli.network.vswitch.standard.set("both","9000","vSwitch0")

Please note, that the command expects the MTU as a parameter. If you have changed the MTU don’t copy ‘n paste this. It will set the MTU of the vSS to 1500 bytes. If you have to change this for a number of hosts, take a look at a PowerCLI function written by Maish Saidel-Keesing. The third method is using esxcli to set CDP operation mode:

esxcli network vswitch standard set –c both –v vSwitch0

Regardless what method you choose, this will only affect the vSS. If your network equipment doesn’t send CDP information, you will not see any CDP information in the VMware (Web) Client. So if you use HP ProVision based switches, you will only see the CDP information sent by the vSS on the ProVision based switch.