Distributed Switch Port Group Bindings

In a vSphere environment where vDS is being used for networking connectivity, there are several options available for what should be the type of port binding that is to be used for a portgroup. Have you ever wondered which Port Binding setting is most suitable for the distributed portgroups to get optimal performance? 

In this post we will be talking about some use cases for using different type of port bindings with vDS.

There are 3 types of Port Binding that is available at portgroup level

  1. Static Binding
  2. Dynamic Binding
  3. Ephemeral Binding

pb-1.PNG

We will discuss about these one by one.

Static Binding

When you connect a virtual machine to a port group configured with static binding, a port is immediately assigned and reserved for it, guaranteeing connectivity at all times. The port is disconnected only when the virtual machine is removed from the port group. You can connect a virtual machine to a static-binding port group only through vCenter Server.

If a portgroup is using static binding and it runs out of port, no new VM’s can be attached to that portgroup. In this case either you increase number of ports on the portgroup or enable auto expand (we will talk about this a bit more later in this post).

Also New Virtual machines cannot be connected to a dvPortGroup when vCenter is down. There will be absolutely no impact on VM’s that were created before vCenter server went down. A VM which was in powered-off state when vCenter went down, can be powered-on without any issue and it will retain its port id.

Dynamic binding

In a port group configured with dynamic binding, a port is assigned to a virtual machine only when the virtual machine is powered on and its NIC is in a connected state. The port is disconnected when the virtual machine is powered off or the NIC of the virtual machine is disconnected. Virtual machines connected to a port group configured with dynamic binding must be powered on and off through vCenter.

Note: Dynamic binding is deprecated from ESXi 5.0, but this option is still available in vSphere Client. 

Ephemeral binding

In a port group configured with ephemeral binding, a port is created and assigned to a virtual machine by the host when the virtual machine is powered on and its NIC is in a connected state. When the virtual machine powers off or the NIC of the virtual machine is disconnected, the port is deleted.

Lets see some of the use cases for when to use what type of port binding.

Why use static port binding?

As we discussed that static port binding provides one to one relationship between virtual machine and virtual port-ID. You can compare this with physical switch where all your Server’s/pcs is hooked to a dedicated port. This makes network administrators life easier as it provide them ability to monitor the physical switch ports for any network or security issues that could be caused by the servers or pcs. In case of security incidents they can identify the port easily and can shut it down.

So if you use static binding with vDS, you get following benefits:

  • Port state persistence helps in troubleshooting network issues
  • Helps Firewall/IDS/IPS devices that need state full ports
  • Monitoring and Accounting application traffic
  • Port state migrated with vMotion

This is explained via a great example by Vyenkatesh Deshpande on vmware blog website.

When to use Dynamic port binding?

Dynamic binding can be used in environments where you have more virtual machines than available ports, but do not plan to have a greater number of virtual machines active than you have available ports. For example, if you have 300 virtual machines and 100 ports, but never have more than 90 virtual machines active at one time, dynamic binding would be appropriate for your port group.

When to use Ephemeral binding?

One of the downside with static binding is that new VM’s can’t be bring online when vCenter server is down.  When creating a new virtual machine, you will see below warning

pb-2.PNG

Although you will be able to create the VM, you won’t be able to add the network card to the VM. You won’t find any portgroup in Network label drop down list to connect to. 

pb-3.PNG

Now lets test ephemeral port binding setting. 

In my lab I created a new portgroup with Ephemeral binding. ( I did not touched existing portgroups as I have running VM’s attached to those portgroups).

pb-4.PNG

Now lets shutdown the vCenter server and see what happens when we create a new VM.

while creating the VM, I was able to attach VM to a portgroup which I created earlier.

pb-6.PNG

When this VM is powered on in absence of vCenter, a temporary port is created on the host for the vNIC with the ID “h-1”

pb-7.PNG

When vCenter server comes back online, stuff get synched and vNIC is assigned a proper port-id

pb-8.PNG

So from this test, we can conclude that ephemeral port binding should be used when you want ability to add vNIC to an existing or new VM or want to create new VM in absence of vCenter server. Basically you get following advantages with ephemeral:

  1. Ephemeral ports are ultimately owned by the host, eliminating any dependency on the state of vCenter Server.
  2. Negates the need to create a Standard vSwitch and play tag with your host’s vmnic adapters.
  3. Control over port group settings remains in the hands of the VDS, reducing configuration overhead or vSwitch sprawl.

Is there any downside of using Ephemeral port binding?

You might wonder, if ephemeral port binding offers advantage over static binding, then why it is not the default option presented to user when creating portgroups on vDS. Answer of this question lies in this article by Duncan Epping.

The main disadvantage of using ephemeral port binding is that it brings network security threat with it. A user who has access to Esxi host (but not vCenter) can create rogue virtual machine and place it on the network or to move VMs between networks. 

Port Allocation

  • Elastic – The default number of ports is eight. When all ports are assigned, a new set of eight ports is created. This is the default.
  • Fixed – The default number of ports is set to eight. No additional ports are created when all ports are assigned.

Additional Reading

Distributed vSwitches and vCenter outage, what’s the deal?

VMware KB-1022312

I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Add a Comment