I’m a bit unclear in terms of policy migration in HW VN-Link, i.e.VM FEX. A port group is a product of the vSwitch construct, correct? If, say, a 1000v has a port profile configured with all its associated security and vlan characteristics, that profile is translated as a port group in vCenter. Moreover, the VM and the interface it is connected to on the 1000v are associated to that port group. When a VM is migrated from one host to another in the same vMotion cluster, the VM will remain attached (bound) to the same vethernet port on the 1000v. Therefore, the port group to which that vethernet is bound also remains the same and the policies follow. Simple enough.
But when one performs a HW VN-Link (HW FEX), the NIV capabilities of Palo are leveraged. In this case, my understanding is that the hypervisor is either bypassed altogether (VM Direct Path I/O), in which case vMotion is not possible because the hypervisor no longer has authoritative dominion over the VM, OR the 1000v simply acts as a pass-through that does noting more than aggregate the traffic from the downlinks to the uplinks, which are attached to the vNICs on the Palo. So, with the absence of a port profile and its associated port group (no vswitch construct being leveraged anymore), where does the VM’s policies reside?
The subject of the thread is VN-Link in hardware (VM-FEX) so thats what I am going to assume the questions are on as VSM/VEM terminology is used with Nexus1000v too and that forwarding behavior is different.
>traffic between two VM's on the same ESX server (on same VLAN) wouldnt be switched through the uplink switch right ? It will >be directly switched by VEM/ESX locally through its kernel ?
No - ALL traffic goes upstream to the FI's which is where the switching port (veth) is instantiated.
VM-A and VM-B on the same ESX host utilizing VM-FEX, traffic goes upstream to get switched.
VM-A and VM-B on 2 diff ESX hosts, then ofcourse they have to.
See inserted png file where both the scenarios I mentioned above are given.
> Can you confirm me if my understanding is right on the following scenarios:
> 1) Traffic between 2 hosts in same ESX server , same VLAN - switched locally by ESX (doesnt go upstream)
No - in VM-FEX mode there is no local switching.
>2) Traffic between 2 hosts in diff ESX servers, same VLAN - switched to uplink (VM-DATA) and layer 2 forwarding to other ESX
> 3) Traffic between 2 hosts in same ESX, different VLAN - forwarded to uplink since layer 3 isnt defined in VSM.. In my case it >goes to Dist1 switch and comes back
Yes - inter VLAN requires L3 which the FI's are not (yet).
According to your explanation, it is clear that VEM is needed both in VMdirectpath and non-VMdirectpath mode in VMware ESX. But according to the UCS-VM-FEX configuration guide, VEM is not needed in KVM. Is that correct? Also, I think VM migration is supported in KVM for VM-FEX. If so, how the memory state of vNIC is copied to the destination. Is this done by macvtap driver?