Solved: Re: Hardware VN-Link - Page 2

visitor68 · ‎01-11-2011

I’m a bit unclear in terms of policy migration in HW VN-Link, i.e.VM FEX. A port group is a product of the vSwitch construct, correct? If, say, a 1000v has a port profile configured with all its associated security and vlan characteristics, that profile is translated as a port group in vCenter. Moreover, the VM and the interface it is connected to on the 1000v are associated to that port group. When a VM is migrated from one host to another in the same vMotion cluster, the VM will remain attached (bound) to the same vethernet port on the 1000v. Therefore, the port group to which that vethernet is bound also remains the same and the policies follow. Simple enough.

But when one performs a HW VN-Link (HW FEX), the NIV capabilities of Palo are leveraged. In this case, my understanding is that the hypervisor is either bypassed altogether (VM Direct Path I/O), in which case vMotion is not possible because the hypervisor no longer has authoritative dominion over the VM, OR the 1000v simply acts as a pass-through that does noting more than aggregate the traffic from the downlinks to the uplinks, which are attached to the vNICs on the Palo. So, with the absence of a port profile and its associated port group (no vswitch construct being leveraged anymore), where does the VM’s policies reside?

Thanks

Manish Tandon · ‎12-22-2011

Hi,

The subject of the thread is VN-Link in hardware (VM-FEX) so thats what I am going to assume the questions are on as VSM/VEM terminology is used with Nexus1000v too and that forwarding behavior is different.

>traffic between two VM's on the same ESX server (on same VLAN) wouldnt be switched through the uplink switch right ? It will >be directly switched by VEM/ESX locally through its kernel ?

No - ALL traffic goes upstream to the FI's which is where the switching port (veth) is instantiated.

VM-A and VM-B on the same ESX host utilizing VM-FEX, traffic goes upstream to get switched.

VM-A and VM-B on 2 diff ESX hosts, then ofcourse they have to.

See inserted png file where both the scenarios I mentioned above are given.

> Can you confirm me if my understanding is right on the following scenarios:

> 1) Traffic between 2 hosts in same ESX server , same VLAN - switched locally by ESX (doesnt go upstream)

No - in VM-FEX mode there is no local switching.

>2) Traffic between 2 hosts in diff ESX servers, same VLAN - switched to uplink (VM-DATA) and layer 2 forwarding to other ESX

Yes

> 3) Traffic between 2 hosts in same ESX, different VLAN - forwarded to uplink since layer 3 isnt defined in VSM.. In my case it >goes to Dist1 switch and comes back

Yes - inter VLAN requires L3 which the FI's are not (yet).

Thanks

--Manish

Jagath003 · ‎04-11-2012

Manish,

Thanks for your clear explanation.

According to your explanation, it is clear that VEM is needed both in VMdirectpath and non-VMdirectpath mode in VMware ESX. But according to the UCS-VM-FEX configuration guide, VEM is not needed in KVM. Is that correct? Also, I think VM migration is supported in KVM for VM-FEX. If so, how the memory state of vNIC is copied to the destination. Is this done by macvtap driver?

Thanks

Jagath

Manish Tandon · ‎04-12-2012

Jagath

Yes, macvtap and vmotion is supported. There is no host component like VEM to load in case of VM-FEX for KVM.

Also in case of KVM libvirt is also used for the mgmt piece currently.

Thanks

--Manish

Jagath003 · ‎04-16-2012

Manish

Thanks. One more thing need to get clarified.

In the case of VEM, what did you actually mean

by memory state of vNIC. I thought it is the memory used by
traffic passing through vNIC and the vNIC statistics when migration

is triggered.

Thanks

Jagath