Rate Limiting of External Networks in vCloud Director and Nexus 1000V

There is a new feature in vCloud Director 5.1 which was requested a lot by service providers – configurable limits on routed external networks (for example Internet) for each tenant. Limits can be set both for incoming and outgoing directions by vCloud Administrator on tenant’s Edge Gateway.

Edge Rate Limit Configuration

However this feature only works with VMware vSphere distributed switch – it does not work with Cisco Nexus 1000V or VMware standard switch. Why? Although the feature is provided by the Edge Gateway, what is actually happening in the background is that vShield Manager instructs vCenter to create a traffic shaping policy on the distributed vswitch port used by the Edge VM.

vSphere Distributed Switch Traffic Shaping

Standard switch does not allow port specific traffic shaping and Nexus 1000V management plane (Virtual Supervisor Module) is not accessible by the vShield Manager/vCenter. The rate limit could be applied on the port of the Cisco switch manually, however any Edge redeploy operation, which is accessible by the tenant via GUI would deploy a new Edge and use different port on the virtual switch and tenant could thus easily disable the limit.

For the standard switch backed external network vCloud Director GUI will not even present the option to set the rate limit, however for the Nexus backed external network the operation will fail with similar error:

Cannot update edge gateway “ACME_GW”
java.util.concurrent.ExecutionException: com.vmware.vcloud.fabric.nsm.error.VsmException: VSM response error (10086): Traffic shaping policy can be set only for a Vnic connected to a vmware distributed virtual portgroup configured with static port binding. Invalid portgroup ‘dvportgroup-9781′.

Nexus 1000V Error

Btw the rate limit can be set on the Edge (when not using vCloud Director) also via vShield Manager or its API – it is called Traffic Shaping Policy and configurable in the vSM > Edge > Configure > Interfaces > Actions menu.

vShield Manager Traffic Shaping

Do not forget to consider this when designing vCloud Director environments and choosing the virtual switch technology.

Cisco Nexus 1000V and vCloud Director 5.1

Three months ago I wrote a blog post about vCloud Director and VXLAN integration with Cisco Nexus 1000V. The article was based on vCloud Director version 1.5.1. The new version of vCloud Director 5.1 integrates VXLAN in quite different way so I want to dedicate this post to it.

Although there is an excellent article about VXLAN setup in vCloud Director 5.1 it describes only the native vSphere VXLAN implementation. Cisco will most likely release an updated whitepaper on the integration, however it will take at least couple of months. Fortunately the setup is not that difficult and is basically the combination of the two procedures and can be derived by understanding of the following two points.

• Cisco Nexus 1000V does not integrate VXLAN via the Network isolation-backed network pool ‘hack’ into vCloud Director as was the case in the old 1.5.1 version.
• vShield Manager now fully abstracts the VXLAN creation, so from vCloud Director perspective it makes no difference if Nexus or vSphere distributed switch is used.

The process:

1. Enable VXLAN on the Nexus 1000V switch (network segmentation manager and segmentation features must be enabled)
2. Create port-profile on Cisco VSM with VXLAN capability.
3. Create vmkernel vmknic on each ESX host that will participate in VXLAN networks. This will be the uplink for all VXLAN encapsulated traffic.
4. Enlarge MTU on the ethernet uplink to at least 1550 (1600 recommended) to support the header overhead of the UDP encapsulated packets.
5. As multicast is used to limit the broadcast traffic to only those ESX hosts that have VMs in given VXLAN segment, enable IGMP snooping on the upstream physical switches.
6. If VXLAN traverses layer 3 networks enable layer 3 multicast routing (PIM).
7. If VXLAN traverses layer 3 networks and the VXLAN vmknic is in different subnet the VEM (and uses different default gateway) enable proxy ARP on the upstream layer 3 switch/router.
9. Integrate Cisco Nexus 1000V switch with vShield Manager (vSM): In the left vSM tab select Settings and Reports, Configuration, Networking. Click Add Switch Provider and enter the switch name, Service API base URL (https://<cisco vsm address>/n1k/services/NSM and admin VSM credentials.
   
10. Prepare the hosts/clusters for VXLAN. In the left tab select the datacenter in which VXLAN participating hosts are residing, select Network Virtualization tab, Preparation, click Edit and chose the Nexus distributed switch.
11. Create a pool of segment IDs and multicast range that can be used for VXLAN networks: while still in the Network Virtualization tab, Preparation, click Segment ID, Edit and enter the Segment ID pool and Multicast addresses.
    

    Segment IDs

That’s all. Now vCloud Director can create VXLAN networks on Nexus 1000V switch. The VXLAN network pool is created automatically with the creation of provider vDC.

Network Pools

Note: It is not possible to use both vSphere distributed switch and Nexus switch as an VXLAN Tunnel Endpoint on the same host. Although it is possible to mix switch providers on the same VXLAN, VMware recommends to use a consistent switch type (vendor etc.) and version across a given network scope. Inconsistent switch types can lead to undefined behavior in your VXLAN virtual wire.

Cisco Nexus 1000V vCloud Director Considerations

I am currently designing a vCloud Director environment and one of the requirements was to use Cisco Nexus 1000V virtual distributed switch with VXLAN support. VXLAN is the new standard to create virtualized networks. The other options to create isolated networks are VLAN or VCDNI pools: VLAN is limited to 4095 virtual networks which is usually not enough for service providers, vCloud Director network isolation (VCDNI) is on the other hand VMware proprietary MAC-in-MAC encapsulation and is harder to accept by security or networking teams. It is obvious that VXLAN is the future. However the only way to use it in current version of vCloud Director (version 1.5.1) is to use Cisco Nexus distributed switch.

Cisco Nexus 1000V brings also the separation of virtual networking from the VMware administrators back to the responsibility of the networking team. On top of that it can be managed with physical Nexus 1010 appliance that runs the Virtual Supervisor Modules (VSM). Why is that important? Some corporations have strict rules about virtual vs hardware cost allocations and network team cannot take ownership of virtual entities. The hardware Nexus 1010 helps them to overcome the process complexities.

vCloud Director Integration

There is no GUI option to create VXLAN backed network pools in VCD 1.5.1. The way Nexus 1000V integrates with vCloud is that it replaces the vCloud Director Network Isolation when using in combination with Nexus vDS.

Network pool options in vCloud Director 1.5.1

To get it to work some prior steps must be done:

1. VXLAN must be enabled at the Nexus switch (network segmentation manager and segmentation features must be enabled).
2. Nexus VSM must be registered with vShield Manager. The network creation workflow is basically: vCloud Director => vShield Manager => Virtual Supervisor Module. To avoid confusion, vShield Manager has acronym vSM and Virtual Supervisor Module is VSM. So in short: VCD => vSM => VSM.
   

   vShield Manager VSM integration

3. vmkernel port-profile must be created on VSM with VXLAN capability.
4. vmknic hast to be created on all ESX hosts that will participate in VXLAN networks. This will be basically the uplink for the VXLAN encapsulated traffic.
5. The MTU on the ethernet uplink must be enlarged to 1550 to support the header overhead of the UDP encapsulated packets.
6. As multicast is used to limit the broadcast traffic to only those ESX hosts that have VMs in given VXLAN segment, IGMP snooping must be enabled on the upstream physical switches.

Other considerations

There are however other important considerations related to the Nexus 1000V deployment. Each Nexus 1000V switch must be managed by its own VSM. The VSM is a virtual appliance and can run either directly on ESX host or on hardware Nexus 1010 appliance. The Nexus 1010 appliance can host up to 6 VSMs. VSM also needs to talk not only to vCenter over management network but also to Virtual Ethernet Modules (VEM) running as modules in vmkernel on each ESX host. This communication happens over Packet and Control networks. They can be in two separate VLANs or can be mixed into one. But still it is important to trunk this additional VLAN to the Nexus switch.

There are also important scalability considerations. One Nexus 1000V switch can have only 216 ports per ESX host and only 2048 ports per switch. This can have quite an impact on the design when hosts with a lot of memory (300 GB+) are used. Basically the tenant can create a large number of relatively small VMs in his organization vDC and exhaust all the available switch ports. If we consider an average 2 GB per VM, we can fit about 150 VM per host and exhaust the switch with 14 host cluster.

And there is another limit – only 1 VSM per vCenter datacenter. So we cannot just add another 14 host cluster to scale. We have to add another vCenter Datacenter. The impact is that when an organization has two org vDCs each in different cluster/datacenter backed by two Nexus 1000Vs these two org vDCs cannot be connected with one organization routed or isolated network – those are backed by VXLAN and VXLAN cannot span two Nexus 1000V switches. The spanning limitation is also limitation with vSphere distributed switch (VDS) but that has much higher scalability limits and does not hurt so much (VDS can have 1016 ports per host and 30000 ports per switch. Also there is no limit of 1 VDS per datacenter).

Hopefully new release of vCloud Director or Nexus 1000V will address some of the limitations. Meanwhile do not forget to include those constraints into your design consideration.

Edit 29 September 2012:

Cisco representative informed me about some inaccuracies in my last paragraphs about the scalability considerations. There is no 1 VSM per vCenter Datacenter limit. The correct statement is that Cisco switch cannot be deployed across datacenters, but that is also true for vSphere distributed switch. So there is no need to add additional datacenters. But we still need to dedicate one Nexus 1000V per cluster due to the maximum port limit (so no vMotion between clusters) and we can have only 12 clusters per vCenter due to 12 Nexus switches limit per vCenter in vCloud Director. However vCloud Director 5.1 enables VXLAN spanning over different switches, so org networks then can span clusters.

Regarding the port limits (per host, per switch), I was told that they are soft limits that were tested, so customers might exceed them. Not sure of the supportability implications, but I guess its up to the customer to do the scalability tests and how close is their relationship with Cisco support.

vShield Troubles

I have recently installed VMware vCloud Director on ESXi server in my home lab. However this is not what I want to blog about today. Yesterday I rebooted the ESXi server and all the vCloud Director related changes were gone – the Oracle DB VM, vCloud Director, vShield Manager and vShield appliance were not registered in the inventory. That would not be so bad as that the virtual network did not work at all. I could not ping any virtual machine. And because I run vCenter virtual I was in very bad situation.

I knew that my problem was because of vShield related changes vCloud Director did to the networking. The vShiled internal switch was gone. So I though I had two options. Either to get vShield working again from command line or to reinstall ESXi. I tried both however was not successful on any of them. I was surprised that newly reinstalled ESXi with the old VMs did not fix the networking. And then I noticed this:

All the virtual NIC of all the VMs were disconnected. So I checked the connected checkbox but the setting would not stick.

Then I checked the .vmx files of all the VMs and noticed vShield related changes to the networking.

ethernet0.filter0.name = “vshield-dvfilter-module”
ethernet0.filter0.param1 = “uuid=52393e32-ee4f-4420-808d-dd2683015301.000″

I removed the two entries as seen in the next screenshot rebooted the VM and finaly the network was working again.

vSphere: Cannot remove empty virtual switch

A few days ago I was trying to migrate running virtual machines from one virtual switch to another one without any downtime. When I thought I was done I tried to remove the vacated virtual switch, but instead was greeted with the following error:

Error: A specified parameter was not correct.

Well after scratching my head for a while I discovered nasty bug in vSphere. If you rename a port group, the configuration files of VMs using this portgroup are not updated. If you create a new port group with the old name, vSphere client then shows the VMs in the new port group, however in reality they are still residing in the old one and using its connectivity. 

To reproduce my steps that lead to the above image:

1. I created ‘Test’ virtual machine port group on new vSwitch2 and placed there a running VM1
2. I renamed the port group to ‘Test2′ – VM1 disappeared
3. I created new virtual machine port group ‘Test‘ on vSwitch0. The VM1 immediately jumped into this new port group.
4. I tried to delete vSwitch2 and got the error.

Running esxcfg-vswitch -l I received this output:

The supposedly empty port group ‘Test2‘ is using 1 port and the new ‘Test‘ port group shows 0 used ports even though vSphere client shows running VM1 in it.

So what is really happening? Actually this is not a bug of vSphere client as it relays on info provided by SDK of ESX server. Running commands

vmware-vim-cmd vmsvc/get.networks <vmid>

vmware-vim-cmd hostsvc/net/vswitch_info

gives wrong info about the port group names. vSphere client incorrectly assumes that the VM was migrated to the other switch, but in fact it still resides on the old switch. The only way out of it is open VM settings and change the network connection to a different port group and back again. The network adapter info gets updated and now finally the VM is migrated to the new switch and the old one can be removed.

This was tested on ESX build 4.0.0,236512.