VMware VCAP6-NV 3V0-643 – Distributed Switch Filters

1. Understand dvFilters

DB filters were introduced in ESXi and are a feature of a distributed switch. On either the virtual or physical nicks, DB filters are placed between the nic and the distributed switch. Up to 16 DB filters can be inserted, but 0 through 3 and 12 through 15 are reserved for VMware use. DB filters allow for the monitoring and manipulation of network traffic. VMware NSX uses DV filters to redirect traffic to a different VM, such as Palo Alto Networks’ next-generation firewall.

NSX also uses DV filters to perform firewalling and network learning functionality. I’m going to demonstrate using a simple DB filter for Mac address learning on promiscuous mode port groups. This filter is primarily used for virtualized Esxihost. The first thing we have to do is download the filter. I’ll go to Labs VMware Connect, look for the Mac learning filter, accept the technical preview license, and then download the filter. There are also instructions here if you need further information on how to instal it. Once the filter is downloaded, I go to the Vsphere client. I’m using the HTML 5 client in this case; I selected my host, and I’m going to upload it to the local storage to make it available. Now I need to log in to the ESXi host at the command line, and from here, I instal the VIB using the ESX CLI software. VIB instal and the location of the MFS volumes If I don’t remember the name “ESX Dvfilter,” I can use tab to finish. Now, because this is a fling, it’s not a properly signed VIB.

So I have to specify to not check signatures; otherwise, the instal will fail. Once the installation has succeeded, I can verify that the DV filter is now loaded using summarise DV filter, and we’ll see that we now have DB filter Maclarn. There are a couple of other DB filters that are already installed. This one here, ESXi Firewall, is a firewall for the ESXi host itself. It has nothing to do with virtual machines. It’s worth noting that it’s currently active on VMK one and VMK zero. Now the next thing that I have to do is apply this particular DV filter to a virtual machine. To do that, I need to edit the VMX file for a virtual machine. I’m going to use test VM one here. It’s already powered off. It is very important that the virtual machine be powered off. Before you edit the VMX file, change to the directory where the virtual machine lives. I want to edit the test VM-1 file. Go down to the Ethernet section, and I want to add a couple of lines here. So filter four indicates the location. Remember, zero through three are reserved.

Specify the name of the filter and then an additional line; the on failure line indicates that. Should we have a failure with this DV filter, what exactly do we want to have happen? And we want to have fail open, which simply means that the filter is going to be bypassed and it’s not going to block traffic once I’ve edited the file, and I can go and power on the virtual machine if we go back to the command line and once again do a summarized DV filter. Now, see that we have a new entry here indicating that the Maclarn DV filter is being applied to this virtual machine. The filter now allows for passing through only learned Mac addresses, meaning that anytime that the virtual machine sends out a Mac address, it’s going to be learned by that filter. It will only allow traffic with a learned Mac address in. Typically, if you’re in promiscuous mode, all Mac addresses would be forwarded to the virtual machine, even if they were intended for another VM in the same port group. This significantly reduces the amount of incoming traffic that the virtual machine, if it is running in promiscuous mode, has to analyze, thus reducing the CPU usage of the virtual machine. Now, let’s take a look at multicast filters.

2. Configure multicast filters

Multicast networking allows for one-to-many communication on an IP network. To ensure that multicast works properly, the destination host sends an IGMP packet to all switches and routers along the path to the destination. Use that information to learn what multicast IP the destination is listening for so that they can forward traffic.

Typically, physical switches listen for IGMP packets from the destination and use that information to determine which traffic to forward out a specific port. Prior to version 60, virtual switches would use the multicast Mac addresses that are configured on the VNC and pass them on, but not examine the IGMP packets. This can create an issue as multicast Mac addresses are reused for multiple multicast IP addresses. As of version 60, the distributed switches can now perform true multicast snooping and filter Mac addresses to the correct switch port based on the multicast IP. To enable multicast snooping in our environment, we go back to the central server.

I need to go to Networking, select my Distributed Switch, right-click on it, and go to Settings, Edit, and Advanced. I can change the multicast filtering mode from “Basic,” which is Mac-based, to “IGMP MLD snooping,” which is now IP-based. When a distributed switch is enabled for multicast snooping, it also sends out IGMP queries. By default, the Distributed Switch sends a join every 125 seconds, but that can be modified on each individual ESXi host. So we go back to the ESXi host, go to Configure, and then under System. We want to go to Advanced System Settings and filter for IGMP, and we’ll see here the IGMP query interval in seconds, and this can be modified if you want to adjust this time. We can also specify a router IP address for IGMP. However, it is not always necessary to do so. Now let’s take a look at the venue X inside a virtual machine.