The article talks about three cases.

Different vSwitches, same port group and VLAN

Same vSwitch, different port group and VLAN

Same vSwitch, same port group and VLAN

and correctly concludes that in the first two cases the traffic leaves the ESX server, goes to the physical switch, and comes back, while in the third case, the traffic stays within the ESX server.

However, there is a fourth case

Same vSwitch, different port group and same VLAN – The way you would set this up in ESX is to create separate portgroups, then go into both portgroups and set the same VLAN id (e.g., 300) in it. In this case also, the traffic stays within the ESX server. Moreover, our performance tests show that its just as fast as the same vswitch, same portgroup, same VLAN case. The advantage of this setup, as explained inVLANs vs vSwitches, is that you can change the VLAN easily without having to change the portgroup.

The reason I say switching instead of routing is that the traffic in most of these cases stays within a single L2 domain, and is never routed. Routing involves leaving an L2 domain, bumping up the stack from Ethernet to IP, getting routed over a different interface and going down into a different L2 domain. The only case in which that happens is when we have different VLANs. Then the traffic must go through a router (perhaps only a switch acting as a router) which forwards the traffic from one VLAN to another.

Consequently, that brings up an interesting point. The only reason the traffic has to leave the ESX server in the second case (same vSwitch, different port group and VLAN) is to get to a router that can take it off VLAN 1 and put it back on VLAN 2. If you deploy a virtual router or a virtual firewall (such as the TBDVirtualFirewall), you can forward traffic from the first VLAN to the second using two interfaces of the VFW, and avoid leaving the ESX server. Again gives you a big performance boost, at the cost of some CPU cycles for running the VFW.

Lets first set the context. We are using a VM as a virtual firewall inside of an ESX server. So the question arises, how much does that slow us down? How fast can you move packets from a VM to the VFW out the interface of the VFW to the second VM?

We used netperf to do the testing, and used the range test.

The throughput you can squeeze out depends on the size of the datagram, so we end up with a table that looks something like this. We used tripped down Linux VMs running netperf (specifically the tcp_range-script) to generate the test packets and measure the throughput.

That means that if you send teeny tiny 1 byte packets, you can only send a bit less than 5 Mbps (because of the per packet copy overhead), but if you send big packets (looks like anything above 4K packets)  you can get close to 130 Mbps.

But is that good or bad? How fast could you go if you went directly VM to VM. Also, can anything to be done to speed this up?

We looked at the VMware paper on performance mentioned in my June 5 entry. http://www.vmware.com/files/pdf/ESX_networking_performance.pdf
and realized that you can get a significant speedup by using the optimized network driver. So we went ahead and did that on the test VMs, and then looked at the comparison.

That clearly looks bad, but we have not yet optimized the VFW drivers. So lets do that and compare again.

That looks pretty good. Even with the VFW in between we can go as fast as the direct VM to VM communication. The numbers actually look like we can go faster with the VFW, although, we don’t have a really good explanation for that. Perhaps some kind of pipelining effect.

VMware claims that they can go as fast as native hardware…
http://www.vmware.com/files/pdf/ESX_networking_performance.pdf

But a bit of deeper reading into vmware’s claims seems to indicate that in order to get the network performance up to native hardware levels, you have to install the vmxnet driver. Also, you have to enable a few things (Jumbo frames, TCP Segmentation Offloading).

We are still playing around with the various settings in our lab. While the performance is significantly improved from the starting point, we are still not at the point comparable to native hardware. Stay tuned for more results.

A portgroup is the equivalent (in the ESX virtual network) of the port on a physical switch. The way you connect a VM to a VSwitch in ESX is to connect the interface of the VM to a port group. So you need the port group anyway, regardless of whether you define VLANs in the VSwitch or not.

Once you do that, then you have the option of changing the VLAN setting from the default (variously denoted as * or 0 in the ESX server, and meaning don’t do any VLANs) to a specific VLAN tag. If you do that, it means that portgroup will only pass packets for that specific VLAN, and not pass anything else, in the direction from the switch to the VM. In the other direction, the VM sends packets without any VLAN tags, and the VSwitch puts the VLAN tag on it for the purposes of packet forwarding.

If it is going to send the packet to another VM on another portgroup in the same VSwitch, then it will just take the tag off again, so effectively it only uses the vlan tag on the various port groups to decide which set of portgroups to forward packets between.

If it is going to forward that packet through a physical network interface card (pnic) to a physical switch and if the pnic is in trunking mode, it will send the packet with the tags to the physical switch so that the physical switch can look at the vlan tag to decide where to forward the packet. In the other direction, if the vswitch gets a tagged packet from the pnic, it will only forward it to your port group if the tags match.

If forwarding to another vswitch… well, ESX does not support connecting vswitches together. Probably because they don’t want to or have not yet implemented the spanning tree protocol and all of its extentions, so that’s not an option.

So the short answer is, portgroups are there anyway, just to allow packets to go from VMs to VSwitches, and that’s also where you put the VLAN tag in a VSwitch. You have to use portgroups to do pretty much anything (including VLANs) in VSwitches.

Now
they are coming up with 10 Gig unified Ethernet, which has the
potential to become the unified fabric of the data center. They are
working on extensions of the basic protocol to support things like
bandwidth allocation (802.1Qaz) and reliability (802.1AG) and failover
(802.1Qay).

The
interactions with Network Virtualization start from setting up VLANs to
separate the SAN traffic from the network data traffic. You may, of
course, create additional separate VLANs to separate network data
traffic from different applications. You may also create separate VLANs
for different SAN logical disks. And you could allocate all of these
different QoS parameters, such as bandwidth.

If
you are using iSCSI, you can also extend the virtual network across the
WAN using a tunnel. The SAN you are accessing might be at the other end
of the country. You probably cannot do anything about the latency, but
you can guarantee some throughput, so for throughput bound applications
this might be acceptable.

And
if any of these things dynamically move around, network virtualization
can keep track of the moving targets, and make sure the network
configuration follows the changes. So if VMotion moves a VM to another
ESX server, network virtualization could make sure that the SAN
connection it needs is still there, by reconfiguring the VLAN that the
SAN needs to go to the new ESX server.

• Create a new vswitch and put one group in vswitch A and the other group in vswitch B?
• Create separate VLANs within the same vswitch and put the different VMs into VLAN A and VLAN B

Both will give you separation of traffic. And with the caveat of bugs in the security implementation of the hypervisor, both are reasonably secure. So is there a strong reason to go one way or the other?

VLANs are more flexible than Vswitches just because the VLAN setting is easier to change. If we want to move a VM from one Vswitch to another, either we have to shutdown the VM, delete the portgroup from the first vswitch, create another portgroup in another vswitch with the same name, and then start the VM again. Or you can shutdown the VM, and then change the portgroup the VM is in and start it again. Either way, you have to shutdown the VM.

To move the VM to another VLAN, all you have to do is change the VLAN tag of the portgroup. No need to shutdown the VM.

You get the most flexibility if you put each VM into its own portgroup. Then you can move a single VM to another VLAN. Otherwise, you have to move all the VMs in the portgroup, since you only have one slot for VLAN tag on the portgroup.