WEBVTT 0:00:02.820000 --> 0:00:06.840000 Hello and welcome to this video titled Virtual Switches. 0:00:06.840000 --> 0:00:11.340000 In this video I'm going to talk about Virtual Machine Segmentation, and 0:00:11.340000 --> 0:00:14.240000 this is where virtual switches come into play. 0:00:14.240000 --> 0:00:17.760000 And we'll talk about Virtual Switch Implementation. 0:00:17.760000 --> 0:00:21.600000 So let's talk about Virtual Machine Segmentations. 0:00:21.600000 --> 0:00:24.040000 Let's draw something here for a moment. 0:00:24.040000 --> 0:00:30.880000 Let's imagine that this box right here represents your physical host. 0:00:30.880000 --> 0:00:32.440000 So that's your physical server. 0:00:32.440000 --> 0:00:37.860000 It's got your CPU, it's got your RAM, all that good stuff in it. 0:00:37.860000 --> 0:00:43.140000 And it, over here, it's even got a knit card that connects to the outside 0:00:43.140000 --> 0:00:53.820000 world. Now inside that host you've got several virtual machines. 0:00:53.820000 --> 0:00:57.340000 Maybe these blue ones here are owned and operated by payroll. 0:00:57.340000 --> 0:01:01.820000 So we'll just say payroll 1, payroll 2, and payroll 3. 0:01:01.820000 --> 0:01:05.860000 Maybe those are our Windows Server instances. 0:01:05.860000 --> 0:01:11.600000 Maybe we've got a couple of other ones here which are owned by engineering. 0:01:11.600000 --> 0:01:16.800000 So engineering 1, engineering 2, engineering 3. 0:01:16.800000 --> 0:01:20.640000 And then maybe we also have one other sort of standalone VM right here 0:01:20.640000 --> 0:01:22.980000 that's owned by marketing. 0:01:22.980000 --> 0:01:27.800000 So each one of these boxes represents a virtual machine running its own 0:01:27.800000 --> 0:01:29.100000 operating system. 0:01:29.100000 --> 0:01:31.960000 And within it its own various apps. 0:01:31.960000 --> 0:01:34.740000 Now here's our objective. 0:01:34.740000 --> 0:01:40.160000 We want virtual machines that are maintained and operated and administered 0:01:40.160000 --> 0:01:44.100000 by the same department to be able to talk to each other, to be able to 0:01:44.100000 --> 0:01:48.720000 exchange data as if they were actually physical servers on the same land. 0:01:48.720000 --> 0:01:50.460000 How do we do that? 0:01:50.460000 --> 0:01:55.060000 Well this is where a virtual switch comes into play. 0:01:55.060000 --> 0:01:59.600000 So we could create in here a virtual switch. 0:01:59.600000 --> 0:02:04.140000 And by the way, when we're talking about type 1 hypervisors like VMware's 0:02:04.140000 --> 0:02:07.600000 ESXi, a virtual switch comes by default. 0:02:07.600000 --> 0:02:12.400000 You can add more than one, but it will have one by default. 0:02:12.400000 --> 0:02:17.020000 And so the moment that you create these virtual machines, now recall that 0:02:17.020000 --> 0:02:20.520000 when you're creating a virtual machine from scratch, you give the virtual 0:02:20.520000 --> 0:02:24.480000 machine a name, descriptive name, you tell it what operating system it's 0:02:24.480000 --> 0:02:29.300000 going to run, then you have to tell the host where in memory that operating 0:02:29.300000 --> 0:02:32.920000 system is. So we have to have an instance of the Windows operating system 0:02:32.920000 --> 0:02:33.600000 loaded in there. 0:02:33.600000 --> 0:02:36.260000 We have to have an instance of Ubuntu loaded in there. 0:02:36.260000 --> 0:02:39.520000 Whatever our operating systems are, they have to already be loaded in 0:02:39.520000 --> 0:02:41.300000 memory of the host. 0:02:41.300000 --> 0:02:46.160000 We have to tell it how much RAM and if we want that virtual machine to 0:02:46.160000 --> 0:02:51.400000 be connected either to other virtual machines, in like a virtual network, 0:02:51.400000 --> 0:02:55.840000 or we want to be connected to the real outside world, have actual access 0:02:55.840000 --> 0:03:01.200000 to the physical NIC card here, we need to give it a virtual NIC or a V 0:03:01.200000 --> 0:03:04.560000 NIC. I'll just draw that up here. 0:03:04.560000 --> 0:03:09.100000 So this is part of the configuration process of a virtual machine. 0:03:09.100000 --> 0:03:12.360000 You say, hey, I want to give you one V NIC or I want to give you four 0:03:12.360000 --> 0:03:16.840000 virtual NICs. Now the moment you give it a virtual NIC, guess what? 0:03:16.840000 --> 0:03:27.200000 You have just tied it in to this virtual switch, V switch. 0:03:27.200000 --> 0:03:29.800000 Now just like on a real switch, right? 0:03:29.800000 --> 0:03:31.280000 Think about a real switch. 0:03:31.280000 --> 0:03:34.960000 I could have four ports here on this physical switch which are going to 0:03:34.960000 --> 0:03:39.240000 payroll, another four ports which are going to marketing, and I want those 0:03:39.240000 --> 0:03:43.360000 four ports to be in, I want those to be in completely separate broadcast 0:03:43.360000 --> 0:03:47.920000 domains to where payroll and marketing are in different subnets and they 0:03:47.920000 --> 0:03:52.440000 can't talk to each other. 0:03:52.440000 --> 0:03:55.780000 Hopefully your brain, you're thinking ding, ding, ding, ding, V lands, 0:03:55.780000 --> 0:03:57.060000 I would use V lands. 0:03:57.060000 --> 0:04:01.840000 Well we're going to do something here similar with the virtual switch. 0:04:01.840000 --> 0:04:07.580000 So each one of these things here, each one of these VMs is going to have 0:04:07.580000 --> 0:04:15.200000 a virtual NIC connecting it to the V switch like this. 0:04:15.200000 --> 0:04:19.260000 And then now if you don't touch the V switch, if you don't configure it, 0:04:19.260000 --> 0:04:21.620000 all these things will be able to talk to each other. 0:04:21.620000 --> 0:04:24.940000 They'll all be interconnected as if they were on the same land. 0:04:24.940000 --> 0:04:28.480000 They would all presumably have an IP address in the exact same subnet. 0:04:28.480000 --> 0:04:31.940000 If you don't want that, if you want to segment them off, for example, 0:04:31.940000 --> 0:04:36.580000 if we want payroll, to be able to talk to each other, but not talk to 0:04:36.580000 --> 0:04:40.780000 anybody else, now we have to go on to the V switch and say, hey, on your 0:04:40.780000 --> 0:04:44.780000 virtual ports, we need to put you in a special group. 0:04:44.780000 --> 0:04:47.860000 Now depending on what type of V switch it is, whether it's a V switch 0:04:47.860000 --> 0:04:52.740000 that was provided via Microsoft's Hyper -V hypervisor, or whether it's 0:04:52.740000 --> 0:04:59.000000 a V switch provided by VMware's ESXi, the terminology to separate the 0:04:59.000000 --> 0:05:00.720000 ports might be different. 0:05:00.720000 --> 0:05:03.920000 For example, one hypervisor might actually use V lands. 0:05:03.920000 --> 0:05:07.700000 It might say, okay, put your virtual switch ports in a different V lands 0:05:07.700000 --> 0:05:12.540000 to do it. Other virtual switches, for example, ESXi uses things called 0:05:12.540000 --> 0:05:16.360000 port groups. But a port group is essentially another name for V land. 0:05:16.360000 --> 0:05:20.080000 It's just grouping ports into a named group. 0:05:20.080000 --> 0:05:24.920000 So for example, if we were talking about VMware ESXi, we might create 0:05:24.920000 --> 0:05:26.460000 some port groups. 0:05:26.460000 --> 0:05:30.360000 So maybe on a piece of paper, I would write down, okay, here's how my 0:05:30.360000 --> 0:05:32.080000 port groups are going to be. 0:05:32.080000 --> 0:05:38.340000 Port group. I'm going to have a port group for payroll. 0:05:38.340000 --> 0:05:41.740000 I'm going to have another port group for engineering. 0:05:41.740000 --> 0:05:44.460000 I'm going to have another port group for marketing. 0:05:44.460000 --> 0:05:49.380000 So you go into ESXi, you go into the V switch, and you create these port 0:05:49.380000 --> 0:05:52.020000 groups. Kind of like V lands, right? 0:05:52.020000 --> 0:05:56.640000 On a physical switch, you create the V lands first, you say, hey, V land 0:05:56.640000 --> 0:05:59.620000 two exists. V land nine exists. 0:05:59.620000 --> 0:06:04.880000 But once you create the V land, then the next step is to tell the switch, 0:06:04.880000 --> 0:06:08.480000 which interfaces are in the V land. 0:06:08.480000 --> 0:06:11.800000 So you have to do a two-step process, create the V land first, then tell 0:06:11.800000 --> 0:06:14.620000 the switch, hey, this port, it's in V land two. 0:06:14.620000 --> 0:06:16.600000 This port, it's in V land nine. 0:06:16.600000 --> 0:06:18.820000 Same process here exists. 0:06:18.820000 --> 0:06:24.380000 Now in VMware's ESXi V switch, we create the port group first, and the 0:06:24.380000 --> 0:06:25.820000 port group is just a name. 0:06:25.820000 --> 0:06:30.340000 You say port group payroll, port group engineering, port group one, two, 0:06:30.340000 --> 0:06:32.340000 three, whatever you want it to be. 0:06:32.340000 --> 0:06:34.840000 And then you go to the V switch, you say, okay, this connection right 0:06:34.840000 --> 0:06:37.640000 here, I want you to be in the payroll port group. 0:06:37.640000 --> 0:06:39.100000 The payroll port group. 0:06:39.100000 --> 0:06:40.160000 Payroll port group. 0:06:40.160000 --> 0:06:43.140000 All right, these other connections over here on the right, I want you 0:06:43.140000 --> 0:06:44.980000 to be in the engineering port group. 0:06:44.980000 --> 0:06:48.220000 The engineering port group. 0:06:48.220000 --> 0:06:52.880000 And you last one right here, you'll be in the marketing port group. 0:06:52.880000 --> 0:06:57.380000 And now you've provided your logical segmentation. 0:06:57.380000 --> 0:07:00.980000 Payroll can talk to payroll, engineering can talk to engineering, and 0:07:00.980000 --> 0:07:04.360000 marketing at this point can talk to nobody. 0:07:04.360000 --> 0:07:08.120000 Now, if you also want these guys to have access to the outside world, 0:07:08.120000 --> 0:07:10.860000 we could leave it like this right now. 0:07:10.860000 --> 0:07:14.960000 And then we could give people the IP address of the actual host itself, 0:07:14.960000 --> 0:07:18.620000 and then they could log into their individual VMs. 0:07:18.620000 --> 0:07:20.180000 But we probably don't want to do that. 0:07:20.180000 --> 0:07:24.140000 We want these VMs to actually have outside connectivity to the real corporate 0:07:24.140000 --> 0:07:31.000000 network. So then what we have to do is we would have our physical NIC 0:07:31.000000 --> 0:07:34.060000 tied into the V switch. 0:07:34.060000 --> 0:07:41.560000 And typically there's a default VLAN or a default port group that ties 0:07:41.560000 --> 0:07:45.020000 into the host's actual NIC card. 0:07:45.020000 --> 0:07:47.020000 Whatever that might be called. 0:07:47.020000 --> 0:07:52.900000 For example, it might be called VMNet. 0:07:52.900000 --> 0:07:54.880000 Just as an example. 0:07:54.880000 --> 0:07:56.240000 Alright, well guess what? 0:07:56.240000 --> 0:08:00.400000 If I want these VMs to have access to the outside world, now I need to 0:08:00.400000 --> 0:08:03.220000 give them a second VNIC. 0:08:03.220000 --> 0:08:07.620000 So for example, my marketing virtual machine will have one VNIC on the 0:08:07.620000 --> 0:08:11.040000 marketing port group, which is kind of useless because there's nobody, 0:08:11.040000 --> 0:08:13.300000 there's no other VM in his group. 0:08:13.300000 --> 0:08:17.440000 And then we'll give him another virtual NIC, and we'll put that in the 0:08:17.440000 --> 0:08:21.000000 VMNet port group. 0:08:21.000000 --> 0:08:24.560000 Now through that, he has access to the outside world. 0:08:24.560000 --> 0:08:31.520000 We'll take payroll three server, give him a second NIC card, a second 0:08:31.520000 --> 0:08:38.080000 virtual NIC, and we'll put that also in the VMNet port group. 0:08:38.080000 --> 0:08:40.720000 Now he has access to the outside world. 0:08:40.720000 --> 0:08:48.360000 So each one of these things here will have two virtual NIC cards. 0:08:48.360000 --> 0:08:52.980000 One virtual NIC card is used for them to have intercommunication among 0:08:52.980000 --> 0:08:55.580000 other VMs in their same group. 0:08:55.580000 --> 0:08:59.760000 Another virtual NIC card is what gives them access to the outside world. 0:08:59.760000 --> 0:09:03.320000 And so this is how we can provide segmentation of our virtual machines 0:09:03.320000 --> 0:09:07.280000 by having yet another virtual construct. 0:09:07.280000 --> 0:09:10.580000 Which is called a virtual switch. 0:09:10.580000 --> 0:09:19.580000 So the connections between virtual machines are governed by this virtual 0:09:19.580000 --> 0:09:23.680000 switch. And he can also give them external connectivity to the outside 0:09:23.680000 --> 0:09:28.680000 world. The virtual switch is also contained MAC address table. 0:09:28.680000 --> 0:09:33.600000 So each one of those virtual machines, when you spin it up, when you go 0:09:33.600000 --> 0:09:36.740000 into the hypervisor and you tell the hypervisor, hey, I want to create 0:09:36.740000 --> 0:09:39.480000 a new virtual machine that's a Windows virtual machine. 0:09:39.480000 --> 0:09:44.960000 Well, by default, the hypervisor will assign a MAC address to that virtual 0:09:44.960000 --> 0:09:50.040000 machine, as if it was a real physical device sitting on the network. 0:09:50.040000 --> 0:09:53.260000 So the network will know it by its MAC addresses. 0:09:53.260000 --> 0:09:58.860000 And the virtual switch inside the host will also have a MAC address table. 0:09:58.860000 --> 0:10:03.000000 And some virtual switches, depending on the flavor of hypervisor, whether 0:10:03.000000 --> 0:10:08.440000 it be Hyper-V or ESXi or something else, sometimes these virtual switches 0:10:08.440000 --> 0:10:14.600000 can also do very advanced features like DHCP snooping, dynamic ARP inspection, 0:10:14.600000 --> 0:10:18.840000 access lists. They can do all sorts of security features as well. 0:10:18.840000 --> 0:10:23.440000 So a couple of examples of virtual switches are Microsoft's Hyper-V. 0:10:23.440000 --> 0:10:25.180000 They have a virtual switch built in. 0:10:25.180000 --> 0:10:30.860000 And I've also just been talking about VMware's ESXi V-switch. 0:10:30.860000 --> 0:10:39.600000 So as I mentioned, in a virtual machine environment, we have virtual Nix, 0:10:39.600000 --> 0:10:41.840000 typically we call those VNix. 0:10:41.840000 --> 0:10:45.760000 So as you're creating the virtual machine, as you're defining the virtual 0:10:45.760000 --> 0:10:50.340000 machine for the very first time, you have to tell it how many VNix it's 0:10:50.340000 --> 0:10:54.540000 going to have and what connections on the virtual switch those VNix will 0:10:54.540000 --> 0:10:55.700000 be connected to. 0:10:55.700000 --> 0:10:59.160000 And you might say, oh man, but I already created my virtual machine like 0:10:59.160000 --> 0:11:02.560000 a week ago, and I forgot to add VNix to it. 0:11:02.560000 --> 0:11:07.420000 No problem. Most virtual machines, when they're in an up and running state, 0:11:07.420000 --> 0:11:09.400000 you can't add a VNix to it. 0:11:09.400000 --> 0:11:12.920000 It's like, you know, if you go into your laptop and try sliding in another 0:11:12.920000 --> 0:11:16.260000 ethernet card, the operating system might bark at you for that. 0:11:16.260000 --> 0:11:19.140000 It's not the type of thing you can do on the fly. 0:11:19.140000 --> 0:11:22.300000 But all you got to do is power off the virtual machine. 0:11:22.300000 --> 0:11:26.040000 Once the virtual machine is powered off, you can make any changes to the 0:11:26.040000 --> 0:11:27.280000 settings that you want. 0:11:27.280000 --> 0:11:31.400000 You could give it more memory, you could give it more CPU power, and you 0:11:31.400000 --> 0:11:34.580000 could add or remove virtual Nix cards to it. 0:11:34.580000 --> 0:11:37.480000 As long as it's in the powered off state, you can do that. 0:11:37.480000 --> 0:11:41.300000 And then of course, we also have physical Nix on the host computer. 0:11:41.300000 --> 0:11:44.480000 Now, your physical Nix, clearly you're going to want that to be pretty 0:11:44.480000 --> 0:11:48.300000 fast because that one physical Nix is going to be handling all the input 0:11:48.300000 --> 0:11:52.960000 and output traffic of all the virtual machines inside that host. 0:11:52.960000 --> 0:11:58.980000 Most hosts typically utilize more than one, more than one physical Nix 0:11:58.980000 --> 0:12:05.840000 card. So the quantity of VNix on a virtual machine is not limited like 0:12:05.840000 --> 0:12:06.760000 a physical device. 0:12:06.760000 --> 0:12:13.080000 For example, when you buy a Windows laptop, that Windows laptop will typically 0:12:13.080000 --> 0:12:16.260000 come with just like one physical ethernet port. 0:12:16.260000 --> 0:12:20.100000 If it has any, a lot of laptops these days only have Wi-Fi connections. 0:12:20.100000 --> 0:12:23.020000 They don't even have a physical ethernet port. 0:12:23.020000 --> 0:12:25.140000 And you can't add more to it. 0:12:25.140000 --> 0:12:27.680000 This is one of the beautiful things about virtual machines is that when 0:12:27.680000 --> 0:12:30.440000 they're in the powered off state, you can manipulate them. 0:12:30.440000 --> 0:12:36.080000 You can actually add more Nix cards to them, more VNix. 0:12:36.080000 --> 0:12:40.100000 So the connections between virtual switches and VNix can be placed into 0:12:40.100000 --> 0:12:45.040000 VLANs. And like I said, typically the hypervisor will come with one default 0:12:45.040000 --> 0:12:50.820000 virtual switch. And the moment you add a VNix to any of your VMs, that 0:12:50.820000 --> 0:12:53.780000 VNix will connect into the virtual switch. 0:12:53.780000 --> 0:12:59.660000 So here's an example of what the virtual switch looks like inside of an 0:12:59.660000 --> 0:13:02.060000 ESXi hypervisor. 0:13:02.060000 --> 0:13:05.660000 A type one ESXi hypervisor. 0:13:05.660000 --> 0:13:12.300000 So here you see this is the sort of logical or graphical representation 0:13:12.300000 --> 0:13:15.540000 of the virtual switch. 0:13:15.540000 --> 0:13:19.000000 And the virtual switch switch has port groups. 0:13:19.000000 --> 0:13:23.000000 Now in ESXi terminology, the port group is just given a name. 0:13:23.000000 --> 0:13:29.240000 So for example, here we have a port group which is called Eve1. 0:13:29.240000 --> 0:13:31.220000 That's just the name of the port group. 0:13:31.220000 --> 0:13:33.720000 Here's another one that's called Trunk1. 0:13:33.720000 --> 0:13:39.680000 Here's one called TestPGB for port group B, TestPGA. 0:13:39.680000 --> 0:13:45.300000 And then it comes with a default one which is VMNIC1. 0:13:45.300000 --> 0:13:48.700000 That's the port group that you would connect to if you actually want to 0:13:48.700000 --> 0:13:53.700000 connect to the physical host adapter and get actual access to outside 0:13:53.700000 --> 0:13:55.960000 network connectivity. 0:13:55.960000 --> 0:14:02.660000 So as you can see looking at this right here, these are three different 0:14:02.660000 --> 0:14:05.200000 virtual machines. 0:14:05.200000 --> 0:14:09.300000 The first one is a virtual router and then we have two virtual switches. 0:14:09.300000 --> 0:14:16.740000 But because their virtual Nix are all placed into the same port group, 0:14:16.740000 --> 0:14:20.600000 in this case called the Eve1 port group, they can all talk to each other 0:14:20.600000 --> 0:14:22.260000 on that port group. 0:14:22.260000 --> 0:14:26.680000 As if they were connected to the exact same local area network. 0:14:26.680000 --> 0:14:32.240000 And in this case right here, when one is showing up as green, that tells 0:14:32.240000 --> 0:14:34.820000 you that that particular VM is currently on. 0:14:34.820000 --> 0:14:36.480000 It's in the powered on state. 0:14:36.480000 --> 0:14:40.560000 When something is white, it tells you that VM is currently off. 0:14:40.560000 --> 0:14:41.860000 It's not running. 0:14:41.860000 --> 0:14:46.220000 So you can see here, this gives you a good graphical representation of 0:14:46.220000 --> 0:14:49.360000 how the virtual switch works. 0:14:49.360000 --> 0:14:54.620000 And if you wanted to, you could have additional virtual switches. 0:14:54.620000 --> 0:14:56.100000 You could go in here. 0:14:56.100000 --> 0:14:59.000000 So right now this says V switch number one. 0:14:59.000000 --> 0:15:04.000000 What we could do is let me show you this. 0:15:04.000000 --> 0:15:12.360000 So here I'm going to log into ESXi. 0:15:12.360000 --> 0:15:18.940000 Okay, so notice here under on the left here, we have a section about VMs 0:15:18.940000 --> 0:15:19.720000 virtual machines. 0:15:19.720000 --> 0:15:22.060000 So if I want to look at AMI VMs, I could do that. 0:15:22.060000 --> 0:15:24.300000 But here we have networking. 0:15:24.300000 --> 0:15:26.440000 It tells me I currently have one virtual switch. 0:15:26.440000 --> 0:15:28.740000 But if I just click on networking in general. 0:15:28.740000 --> 0:15:32.120000 Okay, it shows me all my different port groups. 0:15:32.120000 --> 0:15:38.020000 So if you're familiar with VLANs, think of these as like VLANs. 0:15:38.020000 --> 0:15:39.400000 Each one of those is a unique VLAN. 0:15:39.400000 --> 0:15:42.620000 And you can even assign VLAN numbers to those if you want. 0:15:42.620000 --> 0:15:47.320000 So for example, if a port group will actually have outside connectivity, 0:15:47.320000 --> 0:15:50.660000 you would want to give it its own distinctive VLAN number. 0:15:50.660000 --> 0:15:55.720000 And that will be carried in an 802.1Q tag as it's going out to a physical 0:15:55.720000 --> 0:15:57.780000 switch connected to this host. 0:15:57.780000 --> 0:16:02.500000 But when I click on virtual switches, I could create more. 0:16:02.500000 --> 0:16:07.080000 For example, we've got VSwitch0, VSwitch1. 0:16:07.080000 --> 0:16:10.100000 I could add a standard virtual switch. 0:16:10.100000 --> 0:16:16.700000 Give it a name. Tell it what physical net card it's going to be associated 0:16:16.700000 --> 0:16:21.600000 to. Add some security parameters. 0:16:21.600000 --> 0:16:26.620000 But you can see virtual switches are a very powerful element of virtualization. 0:16:26.620000 --> 0:16:32.700000 Give you control over what virtual machines can talk to and what they 0:16:32.700000 --> 0:16:39.520000 can't. So that concludes this video on virtual switches.