Protecting a Distributed Switch with Ephemeral Binding

Chris Wahl · Posted on

When using VMware’s Enterprise Plus licensing, I tend to gravitate towards the vSphere Distributed Switch (VDS) for my virtual switching construct. Beyond providing consistent settings across a data center, it’s also much more feature rich and reduces configuration overhead. With that said, there is some chicken-and-egg fun when putting a vCenter Server – or other vSphere dependencies – into an environment running a VDS.

If vCenter is down, you can usually power on VMs that rely on a VDS. However, there are scenarios where the virtual network adapter binding to the VDS virtual port is in flux and the power on operation is interrupted (such as data center outages or host restarts).

While it’s certainly been written about by other folks, I wanted to share that I still find the simplest solution is to drop in an Ephemeral port group for VMs that are dependencies for the virtualized environment – vCenter, database, domain controllers, and so on. In the Wahl Network Lab I have a port group called VLAN20-Ephemeral on VLAN 20 (my management VLAN). Here’s the configuration:

rescue-binding

This has three advantages:

  1. Ephemeral ports are ultimately owned by the host, eliminating any dependency on the state of vCenter Server.
  2. Negates the need to create a Standard vSwitch and play tag with your host’s vmnic adapters.
  3. Control over port group settings remains in the hands of the VDS, reducing configuration overhead or vSwitch sprawl.

vCenter Server Outage

When vCenter Server is down, I can opt to use the existing VDS port group with a static binding, or should I find that the virtual port is throwing a fit, swap the virtual network adapter over to the ephemeral binding port group.

In the image below, I’ve powered off my vCenter Server VM and used the vSphere Client to connect directly to the host running that VM. I can still edit the VM and use the usual VLAN20-Lab port group or swap it over to the VLAN20-Ephemeral with ephemeral binding.

vcenter-down

If I needed more VLANs to be available, I could craft more ephemeral port groups or potentially trunk the VLANs and tag on the VM itself – known as Virtual Guest Tagging (VGT).

Once vCenter is online, swap the VM(s) back to the static binding port groups.

Limited Ephemeral Usage

I don’t leave VMs on the Ephemeral port group; I consider it there just for a rescue operation. VMware has a fancy KB that explains why:

Every operation, including add-host and virtual machine power operation, is slower comparatively because ports are created/destroyed in the operation code path. Virtual machine operations are far more frequent than add-host or switch-operations, so ephemeral ports are more demanding in general.

Additionally:

Port-level permissions and controls are lost across power cycles, so no historical context is saved.

tl;dr – good for rescue, but not the best idea for continued use.