The Secret of Ephemeral Port Groups

VMware vSphere networking is available in two variations — Standard vSwitch and Distributed Switch (vDS) — that accommodate a wide range of requirements for any environment.  Standard switches are simple to set up and understand, but the effort to manage them scales along with the number of ESXi hosts managed.  While that management can certainly be automated, e.g., through PowerCLI, there are advantages to the centrally-configured Distributed Switch.

This is not an article to convince you to use one over the other; to see what experts have to say about the matter, take a look at a recent article from Duncan Epping on whether to go pure Distributed or hybrid.

Whenever this topic comes up for debate, it’s clear that the major concern about vDS is the inability to manage virtual networks if vCenter Server goes down.  Thus, the impetus for considering a hybrid environment with management interfaces on Standard vSwitches and only VM networking benefiting from vDS.  However, there is a configuration alternative that may just boost confidence in a pure vDS network.

Distributed Switch Port Group Bindings

Distributed Switches, just like Standard vSwitches, use port groups to configure various network capabilities, VLANs, etc.  One difference is that vDS port groups have three different binding options: static, dynamic, and ephemeral.  For an overview of these options, check out KB Article 1010593.

The key point to note is that port groups using ephemeral bindings behave very much like a Standard vSwitch — even with vCenter Server powered off, administrators have the ability to connect directly to an ESXi host and reconfigure VM networking.

In fact, it is even possible to create a new VM from scratch directly on a host while vCenter is offline, as seen here:

Behind the scenes, with vCenter unavailable, a temporary port is created on the host for the vNIC with the ID “h-1″:

After vCenter Server comes back online, everything syncs up and the VM is automatically updated with a numeric port ID from the vDS:

Leveraging Ephemeral Port Groups

If the inability to quickly provision a new VM or to reconnect a vNIC while vCenter Server is unavailable has kept you from considering a pure vDS network architecture, ephemeral port groups may be a suitable safety net.  You would not even need to use ephemeral port groups for production virtual networks — simply create a few to have as backups for accessing the most critical VLANs.

In reality, if vCenter is down that’s probably the first issue to tackle.  But, in order to recover from a minor catastrophe, it may necessary to manually register that VM and get it online — an idle ephemeral port group could save you the trouble of having to temporarily create a new vSwitch directly on a host.

Tags: ,

6 comments

  1. Phillip’s avatar

    What are the disadvantages or limitations by using ephemeral port binding. Are there any? I would like to know from a design perspective on why i wouldn’t use these vs the other options.

  2. Tomas Fojta’s avatar

    Phillip: The disadvantage is that if you configure ephemeral port binding your network will be less secure. Anybody who will gain host access can create rogue virtual machine and place it on the network or to move VMs between networks. The security hardening guide even recommends to lower the number of ports for each distributed portgroup so there are none unused.

  3. Jason Boche’s avatar

    Phillip, I ran into an issue using Ephemeral – no binding in conjunction with cloning VMs & Guest Customization which you can read about on my blog using the Pingback link in this comment section.

  4. Bob’s avatar

    Phillip, we have been having this discussion lately as well with our new vSphere 5 environment. Found this from VMware that talks about the potential downsides to ephemeral port binding:

    http://kb.vmware.com/kb/1022312

    Seems it is recommend for View environments however due to linked clone issues:

    http://kb.vmware.com/kb/1021193

Comments are now closed.