I’m a bit unclear in terms of policy migration in HW VN-Link, i.e.VM FEX. A port group is a product of the vSwitch construct, correct? If, say, a 1000v has a port profile configured with all its associated security and vlan characteristics, that profile is translated as a port group in vCenter. Moreover, the VM and the interface it is connected to on the 1000v are associated to that port group. When a VM is migrated from one host to another in the same vMotion cluster, the VM will remain attached (bound) to the same vethernet port on the 1000v. Therefore, the port group to which that vethernet is bound also remains the same and the policies follow. Simple enough.
But when one performs a HW VN-Link (HW FEX), the NIV capabilities of Palo are leveraged. In this case, my understanding is that the hypervisor is either bypassed altogether (VM Direct Path I/O), in which case vMotion is not possible because the hypervisor no longer has authoritative dominion over the VM, OR the 1000v simply acts as a pass-through that does noting more than aggregate the traffic from the downlinks to the uplinks, which are attached to the vNICs on the Palo. So, with the absence of a port profile and its associated port group (no vswitch construct being leveraged anymore), where does the VM’s policies reside?
Solved! Go to Solution.
Thanks for your clear explanation.
According to your explanation, it is clear that VEM is needed both in VMdirectpath and non-VMdirectpath mode in VMware ESX. But according to the UCS-VM-FEX configuration guide, VEM is not needed in KVM. Is that correct? Also, I think VM migration is supported in KVM for VM-FEX. If so, how the memory state of vNIC is copied to the destination. Is this done by macvtap driver?