VSM 总结


version 4.2(1)SV2(2.2)

svs switch edition essential

no feature telnet

feature lacp

banner motd #Nexus 1000v Switch#

ip domain-lookup

ip host Nexus1000v 10.10.1.101

hostname Nexus1000v

errdisable recovery cause failed-port-state

vem 3

host id 2fb52500-0000-0000-0000-000000000004

vem 4

host id 2fb52500-0000-0000-0000-000000000003

vem 5

host id 2fb52500-0000-0000-0000-000000000002

vem 6

host id 2fb52500-0000-0000-0000-000000000001

vrf context management

vlan 1,203,207,213,251-253,300,402,410,1020-1021

vlan 203

name VPN/OSPF|Firewall

vlan 207

name LABDMZ3_10.240.8.0/22

vlan 213

name secmgmt_10.10.1.0/24

vlan 252

name EPS-DB_10.240.24.128/27

vlan 253

name mReporting10.240.18.0/27

vlan 402

name tdlab.ca_AD10.10.10.0

vlan 410

name Montreal10.10.11.64_26

lacp offload

port-channel load-balance ethernet source-mac

port-profile default max-ports 32

port-profile type ethernet Unused_Or_Quarantine_Uplink

vmware port-group

shutdown

description Port-group created for Nexus1000V internal usage. Do not use.

state enabled

port-profile type vethernet Unused_Or_Quarantine_Veth

vmware port-group

shutdown

description Port-group created for Nexus1000V internal usage. Do not use.

state enabled

port-profile type ethernet UpLink_FI6296

vmware port-group

switchport mode trunk

switchport trunk allowed vlan 213,252-253,402,410,1020-1021

channel-group auto mode on mac-pinning

no shutdown

system vlan 213,402,1020-1021

state enabled

port-profile type vethernet vlan207_10.240.8.x

vmware port-group

switchport access vlan 207

switchport mode access

no shutdown

state enabled

port-profile type vethernet vlan1020

vmware port-group

switchport access vlan 1020

switchport mode access

no shutdown

system vlan 1020

state enabled

port-profile type vethernet vlan1021

vmware port-group

switchport access vlan 1021

switchport mode access

no shutdown

system vlan 1021

state enabled

port-profile type vethernet vlan203_Vpn/OSPF|Firewall

vmware port-group

switchport access vlan 203

switchport mode access

no shutdown

state enabled

port-profile type vethernet vlan213_10.10.1.0/24

vmware port-group

switchport access vlan 213

switchport mode access

no shutdown

state enabled

port-profile type vethernet vlan252_10.240.24.128/27

vmware port-group

switchport access vlan 252

switchport mode access

no shutdown

state enabled

port-profile type vethernet vlan253_10.240.18.0/27

vmware port-group

switchport access vlan 253

switchport mode access

no shutdown

state enabled

port-profile type vethernet vlan402_10.10.10.0/24

vmware port-group

switchport access vlan 402

switchport mode access

no shutdown

state enabled

port-profile type vethernet vlan410_10.10.11.64/26

vmware port-group

switchport access vlan 410

switchport mode access

no shutdown

state enabled

port-profile type vethernet VMK_Control_L3

  capability l3control               ***/L3模式必须定义此口类型为L3Control

  vmware port-group

  switchport access vlan 1020

  switchport mode access

  no shutdown

  system vlan 1020                 ***/用于CONTROL Vlan的接口自然应属于SYSTEM VLAN

  state enabled

system storage-loss log time 30

vdc Nexus1000v id 1

limit-resource vlan minimum 16 maximum 2049

limit-resource monitor-session minimum 0 maximum 2

limit-resource vrf minimum 16 maximum 8192

limit-resource port-channel minimum 0 maximum 768

limit-resource u4route-mem minimum 1 maximum 1

limit-resource u6route-mem minimum 1 maximum 1

interface port-channel1

inherit port-profile UpLink_FI6296

vem 3

interface port-channel2

inherit port-profile UpLink_FI6296

vem 4

interface port-channel3

inherit port-profile UpLink_FI6296

vem 6

interface port-channel4

inherit port-profile UpLink_FI6296

vem 5

interface mgmt0

ip address 10.10.1.101/23

interface Vethernet1

inherit port-profile vlan1020

description Nexus1000V-Secondary, Network Adapter 1

vmware dvport 64 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.27AF

interface Vethernet2

inherit port-profile vlan1021

description Nexus1000V-Primary, Network Adapter 3

vmware dvport 100 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.6656

interface Vethernet3

inherit port-profile vlan1020

description Nexus1000V-Primary, Network Adapter 1

vmware dvport 65 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.4D13

interface Vethernet4

inherit port-profile vlan1021

description Nexus1000V-Secondary, Network Adapter 3

vmware dvport 101 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.5578

interface Vethernet5

inherit port-profile vlan402_10.10.10.0/24

description vShield Manager, Network Adapter 1

vmware dvport 512 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.665F

interface Vethernet6

inherit port-profile vlan402_10.10.10.0/24

description vShield-FW-10.10.10.47, Network Adapter 1

vmware dvport 513 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.02E3

interface Vethernet7

inherit port-profile vlan402_10.10.10.0/24

description win7pro, Network Adapter 1

vmware dvport 514 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.56A0.5863

interface Vethernet8

inherit port-profile VMK_Control_L3

description VMware VMkernel, vmk1

vmware dvport 576 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.5660.2D83

interface Vethernet9

inherit port-profile VMK_Control_L3

description VMware VMkernel, vmk2

vmware dvport 577 dvswitch uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d”

vmware vm mac 0050.5667.48BC

interface Ethernet4/2

inherit port-profile UpLink_FI6296

description Server3_port1

interface Ethernet4/3

inherit port-profile UpLink_FI6296

description Server3_port2

interface Ethernet6/2

inherit port-profile UpLink_FI6296

description Server1_port1

interface Ethernet6/3

inherit port-profile UpLink_FI6296

description Server1_port2

interface control0

  ip address 10.20.0.2/24

line console

boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.2.bin sup-1

boot system bootflash:/nexus-1000v.4.2.1.SV2.2.2.bin sup-1

boot kickstart bootflash:/nexus-1000v-kickstart.4.2.1.SV2.2.2.bin sup-2

boot system bootflash:/nexus-1000v.4.2.1.SV2.2.2.bin sup-2

ip route 0.0.0.0/0 10.20.0.1    ***/用于指引VSM到达远端HOST目标的路径

monitor session 1 type erspan-source   ***/从不在同一个HOST上的VM进行监控

  source interface Vethernet5 both       ***/HOST A上某一VM监控的接口

  destination ip 10.10.10.37            ***/执行监控的HOST B上的VM地址

  erspan-id 1

  ip ttl 64

  ip prec 0

  ip dscp 0

  mtu 1500

  header-type 2

  no shut

svs-domain

  domain id 1

  control vlan 1                 

  packet vlan 1021

  svs mode L3 interface control0      ***/使用L3模式,Control/packet Vlan没有作用。实际起作用的是建立的VMK接口中的配置。

svs connection LabUCS

protocol vmware-vim

remote ip address 10.10.1.253 port 80

vmware dvs uuid “80 87 20 50 34 17 00 d6-72 3c 0d 2b 3d 60 ae 1d” datacenter-name LabUCS

max-ports 8192

connect

vservice global type vsg

tcp state-checks invalid-ack

tcp state-checks seq-past-window

no tcp state-checks window-variation

no bypass asa-traffic

vnm-policy-agent

registration-ip 0.0.0.0

shared-secret **********

log-level

解读

Control Vlan 用于VSM间同步HA关系,VSM与VEM通信。

以上配置为L3模式配置举例, 一旦设置为L3模式,svs-domain 中设定的 Control/packet vlan将不在起作用,真正起作用的是svs mod l3 interface mgmt0/control0 中定义的接口,本例中使用CONTROL0,因为MGMT0属于独立VLAN,不具备对外路由功能,无法到达ERSPAN想要执行监控任务的VM,也就无法把vem5上的流量Mirror到10.10.10.37。

vsm nic

在创建VSM的时候会自动生成3个接口,顺序为NIC1=Control0, NIC2=Mgmt0, Nic3=Packet。

所以L3模式中的CONTROL0实际属于Vlan1020(VM中设定),之后我们又创建了一个vethernet VMK_Control_L3的PORT PROFILE,这个设置会在1000V VDS上创建一个VMWARE PORT GROUP,

port-profile type vethernet VMK_Control_L3

  capability l3control

  vmware port-group

  switchport access vlan 1020

  switchport mode access

  no shutdown

  system vlan 1020

  state enabled

设定中定义使用此PROFILE的接口将归为ACCESS类的VLAN1020(这里用1020其实和L2也没什么区别;也可以用别的VLAN,但是那样就需要有CONTROL0到那个VLAN的路由),且用于L3 Control。所以接下来我们需要各HOST上能利用此VKM接口与VSM通信,这样也就实现了各HOST上的VEM与VSM的通信。因为1000V VDS在VCENTER的Inventory->Networking中不能配置,所以只能去各HOST上创建VMK,并配置IP(VLAN1020的IP)。

ERSPAN

SPAN有三种情况:

  1. 同一HOST下监控不同VM=普通的MONITOR SESSION。
  2. 同一网段下不同HOST下监控不同VM=L2 ERSPAN。
  3. 不同网段下不同HOST下监控不同VM=L3 ERSPAN。

举例说明:

VM1–Host1—-Cloud—-Host2–VM2

VM1=被监控VM,VM2=负责监控的VM。

HOST1必须有去VM2的路由,否则ERSPAN失败。

ERSPAN在普通NEXUS上可以做成多个SW接力形式的SPAN,第二个SW借用指定收听IP为监控源的方法,将MIRROR流量导入执行监听工作的接口。SPAN ID相同即可。

Erspan

iSCSI port-profile

要想VMWARE上的ISCSI软口能看到iSCSI的PORT GROUP上的VMK卡,一下三点缺一不可!

  1. system vlan under both iscsi port-profile and uplink port-profile
  2. capability iscsi-multipath
  3. vmk interface on VMware port-profile port-group

Summary:

NIC1的网络状况很重要,它关系到VSM的HA状态是否稳定(NIC1有问题的话VSM还是能通过Mgmt0发现有一个Secondary VSM的存在,但是HA状态将停在POWER-UP,只有NIC1连同才能ACTIVE/STANDBY)

VSM和VEM间通过CONTROL控制,CONTROL不能有问题。

SVS MODE L2可以做ERSPAN,但只能做同一网段不同HOST间的。因为要想在不同网段HOST上使用同一个VSM,则VSM必须有可以到达远端HOST的方法,没有Mgmt0/Control0_IP+ROUTE是不可能实现的。

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s