Network Prerequisites for deploying a Virtual Loadmaster on VMware vSphere 6.7
This post covers the network prerequisites for configuring a Virtual LoadMaster in a VMware vSphere environment.
Key points to note:
- Do not attempt to upgrade VMware Tools – these have been integrated in the to the Virtual LoadMaster (VLM) Appliance.
- A duplicate port group is required so that the settings can be changed only on the load balancer port group.
- The security Policy’s required: Forged transmits should be set to Accept on the new port group. This should be hardcoded on the portgroup to prevent any inheritance configurations from the vSwitch .
- The transmission of RARP packets needs to be prevented on the LB port group by setting Notify Switch to No. This should be configured to prevent RARP Packets being sent every time vMotion or powering on a VM.
- Ensure the VLM MAC address is set to static as if the MAC address changes, this can cause licensing issues.
What are RARP (Reverse Address Resolution Protocol) Packets:
When the Notify Switch value is set to Yes (default), this essentially gives ESXi the permission to send RARP Packets on behalf of Virtual Machines running on the ESXI Host.
The reason for the sending these packets, is to make sure that the physical switches (local network) learn the location of Virtual Machines running on the ESXi Host. A physical switch does this by observing each incoming frame and recording the Source MAC address field.
One challenge you could face when using load balancers on a RARP enabled port group or vSwitch is, all inbound traffic could be passed to one real server, potentially overloading the real server and reducing the workload to a single point of failure. There could also be complications to High available (HA) KEMP configurations, preventing LoadMasters from communicating correctly and failing over from the Active to Passive node.
You can find out more about RARP within VMware here: https://kb.vmware.com/s/article/1556
Standard vSwitch Step by step configuration Guide:
The following steps show you how to configure a LB port group on a ESX standard vSwitch.
- Login into ESX, Select Networking (1) and Add port group (2)
- Change the default Name (1) of the port group, and Select Accept Forged Transmits. As you can see from the screenshot below, I have used the same VLAN and called it the LB VM Network.
- The next step is to edit the settings of the newly created port group. Select the LB VM Network port group (1) and then click edit settings (2),
- Expand the NIC teaming Tab
- Set Notify switches to Yes (1), then click Save (2).
Prerequisites for deploying a Virtual Loadmaster on a Distributed Switch
Distributed Switch Step by step configuration Guide:
Two options are detailed here, one showing you how to create a new distributed port group and the second option shows you how to edit settings on an existing distributed port group.
Creating a new distributed port group for KEMP VLM’s:
- Create a new distributed port group for the Load Balancer network configurations.
- Enter the name of the distributed switch, use something like LB/ADC VM Network
- Ensure that the tick box “Customize default policies configuration” is ticked so that you can edit the security and Teaming options.
- Under the security section, change the default setting for forged transmits to Accept from Reject.
- Under the teaming and failover section, ensure Notify Switches is set to No.
- now skip the rest to the ready to complete section and click finish.
Editing a distributed port group for KEMP VLM’s:
Same as before, we are just editing existing settings of a port group.
- Select the distributed port group under networking
- Select edit under the configure tab
- Edit security, Forged Transmits set to Accept
- Edit Teaming and Failover, Set Notify switches to No
- Click OK to finish.
This blog post shows you how to configure network settings on VMware vSphere before deploying a Virtual Load balancer. Failing to configure the prerequisites could result in KEMP VLM connectivity and communication issues between two KEMP Virtual loadmasters configured in a HA pair/Cluster or real servers. If you do experience network issues when configuring KEMP LoadMasters, I would recommend checking the network configurations shown here on the port groups first.
Feel free to use the questions box below to raise any questions about this article.