With all the ongoing VMworld buzz there is at least one news over at William Lam's VirtuallyGhetto blog that did not get the attention that it deserves: VMware has released a new fling for ESXi that implements a MAC learning network filter. That is an important one and highly recommended for all the folks that use nested virtualization on top of ESXi.
If you run virtual ESXi (vESXi) hosts on top of physical ESXi hosts then you probably know that the network portgroup that the vESXi hosts connect to must be configured for promiscuous mode. This ensures that the vESXi hosts do not only receive the network packets for their own management interfaces, but also for the nested VMs that they run themselves. But it has a drawback: Because of the promiscuous mode all network packets will be copied to all vESXi hosts all the time, and that leads to a lot of unnecessary network traffic and a notable compute overhead.
With the MAC learning filter the physical ESXi host will learn and remember what MAC addresses are really connected to a specific virtual network port and will forward only the packets that are destined for these MAC addresses. All other packets will be dropped regardless of the promiscuous mode being enabled. William has very described the problem and the implemented solution in his blog post, so go and read it to dive into the details.
It should become clear from William's pictures and description, but it is not explicitly mentioned in his post: Unlike the VMware Tools for Nested ESXi VIB (another must-have for nested virtualization setups!) the MAC learning dvFilter VIB package must be installed on the physical hosts that run virtual hosts, but is not needed on the virtual hosts!
However, both packages have one annoying thing in common: They are both provided as VIB files only and have not officially been made available as Offline bundles or in an Online Depot. And that means that there is no official way to use the package with PowerCLI ImageBuilder or to create an ImageProfile for vSphere Auto Deploy that contains the package.
Sure, you can create an Offline Bundle yourself using VIB2ZIP from my ESXi5 Community Packaging Tools, and I already showed the necessary steps in the related post about the VMware Tools for Nested ESXi. However, this is not really necessary, because I also made the package available through my V-Front Online Depot, so you can just pull it from there. Here is how to do this:
How to use with PowerCLI ImageBuilder and the ESXi-Customizer-PS script
Here is a short PowerCLI script that creates a customized ESXi 5.5 ISO including the vmware-esx-dvfilter-maclearn package:
# Connect the VMware Online depot Add-EsxSoftwareDepot https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml # Clone the latest ESXi 5.5 profile (as of Aug 2014) into a custom profile $CloneIP = Get-EsxImageProfile ESXi-5.5.0-20140704001-standard $MyProfile = New-EsxImageProfile -CloneProfile $CloneIP -Vendor $CloneIP.Vendor -Name (($CloneIP.Name) + "-customized") -Description $CloneIP.Description # Connect the V-Front Online Depot Add-EsxSoftwareDepot http://vibsdepot.v-front.de # Add the MAC learning dvFilter package to the custom profile Add-EsxSoftwarePackage -SoftwarePackage vmware-esx-dvfilter-maclearn -ImageProfile $MyProfile # Export the custom profile into an ISO file Export-EsxImageProfile -ImageProfile $MyProfile -ExportToISO -NoSignatureCheck -FilePath c:\temp\ESXi55-vmware-esx-dvfilter-maclearn.isoPlease note: You need to use the -NoSignatureCheck switch with the Export-EsxImageProfile cmdlet, because the VIB file was not electronically signed for production use (after all it's an unsupported fling!).
If you use my ESXi-Customizer-PS script the whole procedure is just one line ;-)
ESXi-Customizer-PS-v2.2.ps1 -vft -load vmware-esx-dvfilter-maclearn -nsc -outDir c:\temp
Usage with AutoDeploy
With the script lines that you find above you can also create an ImageProfile for usage with vSphere Auto Deploy, but due to the missing signature you will get the error message "Could not find a trusted signer" when you use the New-DeployRule cmdlet with it. As a workaround use the command
$DeployNoSignatureCheck=$truein your PowerCLI session to override the signature check.
The V-Front Online Depot
The examples that I showed here also work with the VMware Tools for Nested ESXi VIB and all the other VIB packages that I have made available in the V-Front Online Depot! For detailed instructions on how to make good use of the V-Front Online Depot please refer to my earlier introduction post.
This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.