E-Guide

Management and Policy

for Virtual Machines
Virtualization throws a wrench into traditional
network management and monitoring tech-
niques. This SearchNetworking.com E-Guide
discusses the problems that virtualization
presents for network management and what
you can do to ease the pain points.

Sponsored By:
 Management and Policy for Virtual Machines
Table of Contents

E-Guide

Management and Policy

for Virtual Machines

Table of Contents:

Managing virtualization networking with distributed virtual switches

Resources from SolarWinds, Inc.

Sponsored by: Page 2 of 6

Get End-to-End Visibility Into
Your Virtual & Physical Infrastructure
Through a Single Pane of Glass.
Managing a virtualized datacenter environment is a complex task… unless you
have SolarWinds Orion Network Performance Monitor (NPM). Orion NPM
delivers powerful monitoring for your VMware® vSphere™ servers, ESX and
ESXi servers, and Cisco® 1000v.
Finally, you can get comprehensive virtualization monitoring—from your
virtualized servers and switches to the underlying physical infrastructure. Orion
even delivers visibility into the applications running on virtualized resources.

Try Orion Network

Performance Monitor Free
download a free trial

Learn more at solarwinds.com.

 Management and Policy for Virtual Machines
Managing virtualization networking with distributed virtual switches

Managing virtualization networking with distributed virtual

switches

Traditionally, network groups manage the physical network connection of a server from the switch all the way to
the NIC. Virtualization changes that by extending the network into the server, snatching control out of the network
administrator's hands. This poses a host of new problems that include a lack of visibility within the server and a
lack of manageability of virtual network switches.

Virtual network switches effectively extend the physical network from the NIC in a VMware ESX host to a virtual
switch that is managed by the ESX server, as well as a virtual NIC that connects a virtual machine (VM) to the
virtual switch. This virtual switch is usually managed by virtualization administrators and not network administra-
tors, which can cause some concern and friction between the two groups because the network admins can no
longer control and manage part of the network that is inside a virtual host.

The role of virtual network switches

Virtual switches are the core networking component on an ESX and ESXi host. A virtual switch is built and
contained in the RAM of a host and connects the physical NICs (referred to as uplinks) in the host server to the
virtual NICs in virtual machines. Virtual switches (vSwitches) emulate many of the traits of traditional Ethernet
switches and can perform many of the same functions, such as forwarding frames at the data link layer and VLAN
segmentation, and they also support copying packets to a mirror port for use with a sniffer or IDS system. In
VMware VI3, there was only one type of vSwitch; in vSphere, there are now three different types that you can use:
the standard vSwitch, the new distributed vSwitch, and third-party vSwitches (Cisco Nexus 1000v). With the excep-
tion of the Nexus 1000v, you can have multiple vSwitches configured on a single host, but a single physical NIC can
only be assigned to a single vSwitch.

Challenges of virtualization networking: Blind spots and a lack of control

One of the challenges with vSwitches is that much of the traffic between VMs on the same host never leaves the
host, so it does not go over the physical network. As a result, it cannot be monitored or managed by the network
devices on the physical network, such as IDS/IPS systems. In a post I did a while back, I explain the circumstances
in which a VM's network traffic never leaves the host. To summarize, this occurs when VMs are connected to the
same vSwitch and the same port group on that vSwitch. What happens is that all network traffic between those
VMs stays within the host's memory subsystem as both the vNICs and vSwitch are contained in a host's memory.
This can be desirable from a performance standpoint, as transferring data in a host's memory is much faster than
sending it over the network. But it is not desirable from a network standpoint because the data cannot be seen by
the physical network and, consequently, by network firewalls, QoS, ACLs and IDS/IPS systems that are designed to
protect servers at the network layer.

Another challenge with virtual switches is that both the standard and distributed vSwitch do not have many fea-
tures and are basically dumb, unmanaged switches. As a result, there is very little control over what happens on a
vSwitch and no integration between vSwitches and physical switches.

Sponsored by: Page 4 of 6

 Management and Policy for Virtual Machines
Managing virtualization networking with distributed virtual switches

One last challenge with virtual switches is with adding devices to the network. Most network admins like to control
what is plugged into their network. They will typically disable ports that are not in use and set port security on all
ports so that if a different NIC is plugged in, they are alerted to it and the port is disabled. With a vSwitch, they
lose this control as they only have control of the uplink ports from the physical NICs in the host and not the many
virtual machine ports that exist on a vSwitch.

New tools address virtualization networking management

These challenges all lead to reduced visibility and control of network traffic, which results in a less secure environ-
ment, incomplete network traffic analysis and unhappy network admins. One way to address this is to use network
management products that are designed to work in virtual environments.

These typically allow you to secure, monitor and control all the virtual networking traffic on a host. These products
typically deploy as virtual appliances on a host and either sit inline between VMs in a protected vSwitch or use the
new VMsafe technologies in vSphere, which can protect VMs without being inline. Some examples of these types of
products include SolarWinds Network Performance Monitor (NPM), which provides monitoring, Reflex System's
Virtual Management Center, Altor Networks Virtual Firewall, and Catbird's vSecurity.

Sponsored by: Page 5 of 6

 Management and Policy for Virtual Machines
Resources from SolarWinds, Inc.

Resources from SolarWinds, Inc.

YouTube Video - Discover & Monitor VMware Servers in Orion Network Performance Monitor v10

Cisco & SolarWinds Webcast – Cisco 1000V Product Manager and SolarWinds’ Josh Stephens
Discuss the Impact of Virtualization on Your Network & a Demo of How to Manage the 1000V with
SolarWinds Orion NPM

Cisco & SolarWinds Resource Center – NetFlow, IP SLA, 1000V, EnergyWise, Cisco SBA Networks,
Managing the Borderless Network, and more. Learn about this powerful partnership

About SolarWinds, Inc.

SolarWinds (NYSE: SWI) provides powerful and affordable IT management software to more than
93,000 customers worldwide – from Fortune 500 enterprises to small businesses. Focused on the
real-world needs of IT professionals, SolarWinds products are downloadable, easy to use and
maintain, and provide the power, scale, and flexibility needed to manage today’s complex IT
environments. SolarWinds’ growing online community, thwack, is a gathering-place for problem-
solving, technology-sharing, and participating in product development for all of SolarWinds’
products. Learn more today at http://www.solarwinds.com.

Sponsored by: Page 6 of 6