Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Blog: Virtual Networking Best Practices Up for Debate

Virtual server configuration and management is still a developing art. But a set of best practices for laying out a virtual network for best performance, redundancy, and security is even more up for grabs. Despite the frequency with which questions about virtual networks appear on VMware Communities Forums, it appears as if no two companies use the same approach.

Some companies are limited by hardware availability and security, or a misunderstanding about what the virtual network is all about.

Complicating matters, network administrators are generally not involved in decisions about how to configure networks for virtual servers, either because they don't wish to be, or don't realize that they should be. Even when they are, however, network administrators generally lack the basic virtualization education that will help them to make good decisions based on the accepted best practices.

The virtual network begins where the physical network ends at the virtualization host. The network adapters in the physical host are bridged to the virtualization layer. What happens next depends on the virtualization host in use.

For VMware Server, VMware Workstation, Citrix XenServer, and Microsoft Hyper-V, the network bridge terminates at the virtualization layer; the virtualization software then makes a virtual network interface available to the virtual machines. The virtual network interface can either talk to the bridge, to a host-only network, or through Network Address Translation (NAT) device. However, everything goes through the physical host, which causes some security concerns.

VMware ESX and VMware ESXi requires the the bridge to terminate at specific virtual switches which are simple layer-2 devices. The virtualization layer makes the virtual switches available to make it easier for administrators to create and secure virtual networks; essentially, the virtual switch is connected to a physical switch as via normal uplink capabilities. VMware ESX and ESXi can have a large number of virtual switches available as well.

Each physical network interface on the physical server can uplink to either a single virtual switch-to which all the VMs could connect-or each physical NIC can connect to a different virtual switch. It is even possible to have virtual switches that have no uplink to a physical switch. These are considered host-only virtual switches.

So what are the best practices?

The first is to configure each physical server with uplinks from at least two different physical switches to one or more virtual switches.

Not only will this give the virtual-switch layer a way to function even if one physical NIC goes down, but also this allows the virtual switch to load-balance VMs across both NICs if they're both functioning.

Other than that one guideline, best-practice recommendations on the forum vary widely.

I find it's also effective to provide a separate virtual switch for the physical switch linking the physical server to storage. That keeps VMs from fighting for the same bandwidth for access to both network and storage resources.

The common wisdom on security is that VLANs on a vSwitch are currently secure-in some cases more secure than many physical switches-but this may not always be the case.

Splitting traffic amongst the available physical NICs give the best redundancy, performance, and security overall, but how to accomplish this split is far from clear.

Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Citrix, Hewlett-Packard, Linux, Microsoft, NIC, Pearson, Pearson Education, VIA, VMware
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • FIBRE CHANNEL SOLUTIONS GUIDE - state of the fibre channel industry
    Today’s data explosion presents unprecedented challenges incorporating a wide range of application requirements such as database, transaction processing, data warehousing, imaging, integrated audio/video, real-time computing, and collaborative projects. For nearly a decade storage area networks (SANs) have become mainstays for companies looking to increase storage utilisation and manageability while reducing costs.
    Learn more »
  • Improving Storage Efficiencies with Data Deduplication and Compression
    IT organizations worldwide are dealing with the tremendous growth of data and the complexity of managing the storage for that data. In this data-intensive environment, IT managers need to optimize the capacity and performance of their disk storage systems while working to reduce complexity and lower costs. Read on.
    Learn more »
  • Justifying Business Intelligence Applications
    This white paper explores the decision criteria used in a build vs. buy scenario when considering the Oracle BI Applications. The major benefits of the BI Applications will be discussed in the framework of an overall buy vs. build argument.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources