Objective 2.4 – VMware Network Fundamentals
Topics:
· - Differentiate between VCF Networking Components
· - Configure virtual networking fabrics and features
· - Configure virtual networking connectivity and routing
· - Configure virtual networking services
Given a scenario, differentiate between VCF networking components
VMware Cloud Foundation (VCF) networking components include:
NSX (Network Virtualization):
Provides software-defined networking (SDN), micro-segmentation, distributed firewall, load balancing, VPN, and routing.
Key for north-south (datacenter to outside world) and east-west (within datacenter) traffic.
vSphere Distributed Switch (vDS):
Provides centralized management of networking across multiple ESXi hosts.
Supports VLANs, port groups, NIC teaming, traffic shaping, NIOC.
Handles east-west VM-to-VM and VM-to-physical network connectivity.
vSphere Standard Switch (vSS):
Configured per-host.
Typically used in management clusters or smaller environments.
VMkernel Ports:
Special network adapters on ESXi used for host services (vMotion, vSAN, iSCSI, Management).
Physical Network (ToR Switches, Spine/Leaf):
Provides underlay for VCF networking.
Typically integrated with EVPN/VXLAN or VLANs to connect NSX overlay.
Key difference:
vSS/vDS = virtual switch constructs.
NSX = SDN, advanced networking & security.
VMkernel Ports = host services connectivity.
Physical Network = underlay fabric.
Given a scenario, configure virtual networking fabrics and features
Steps (vSphere Distributed Switch):
In vSphere Client, go to Networking → Datacenter → Distributed Switch → New Distributed Switch.
Define name, version, and number of uplinks.
Add hosts to the switch.
Create port groups for VM traffic, management, vMotion, vSAN, etc.
Assign uplink adapters to physical NICs on ESXi hosts.
Configure features:
NIC Teaming – load balancing & redundancy.
Network I/O Control (NIOC) – prioritize traffic types.
Traffic Shaping – limit or guarantee bandwidth.
Private VLANs – for isolated tenant workloads.
Scenario Examples:
Multi-tenant environment → Use NIOC + Private VLANs.
High-availability requirement → NIC Teaming across two ToR switches.
Storage traffic isolation → Dedicated VMkernel + VLAN-backed port group.
Given a scenario, configure virtual networking connectivity and routing
Connectivity Setup (within vSphere):
Create a VM Port Group on vSS or vDS.
Tag the port group with the correct VLAN ID.
Attach the VM network adapter to the port group.
Verify connectivity between VM and physical network.
Routing (via NSX or VMkernel):
VMkernel Routing Table:
Each VMkernel interface can have one default gateway.
Used for management, vMotion, vSAN traffic.
NSX-T Routing:
Tier-0 Gateway: North-south routing (to physical network).
Tier-1 Gateway: East-west routing (between tenant segments).
Uses overlay networks (Geneve encapsulation) over physical underlay.
Scenario Example:
VM on VLAN-backed network needs internet → Configure NSX-T Tier-0 gateway to advertise routes externally.
vSAN cluster across L3 boundaries → Configure dedicated VMkernel interfaces and routing.
Given a scenario, configure virtual networking services
Common Services in vSphere/NSX:
DHCP:
NSX can provide DHCP services to segments.
Or use external DHCP server connected to port group.
Load Balancing:
NSX Advanced Load Balancer (Avi Networks).
Use cases: scale web apps, API gateways.
Firewalling:
NSX Distributed Firewall (DFW): Enforces micro-segmentation at VM NIC level.
Can apply rules based on tags, groups, or identities.
VPN Services (NSX):
IPSec VPN or SSL VPN for site-to-site or remote access.
DNS Forwarding:
NSX can forward DNS requests for workloads in overlay segments.
Steps (example – configure NSX Distributed Firewall):
In NSX Manager, go to Security → Distributed Firewall.
Create a new DFW section.
Define rules (Source, Destination, Service/Port, Action).
Apply tags or groups (e.g., “Web VMs,” “DB VMs”).
Publish rules → traffic is enforced at hypervisor kernel level.