T 3.99 Incorrect network connections of a virtualisation server

Network connections for virtual IT systems

A virtualisation server provides the network access of the virtual IT systems operated on it. For this purpose, it usually makes an emulated network card available to the virtual IT systems. This in turn allows the virtual IT systems to access networks or storage networks. These (storage) networks can be either physical or virtual networks.

To be able to use virtual IT systems, the virtualisation server must allow a connection between the virtual network components of the virtual IT systems and the physical networks. This is accomplished by the virtualisation server making its physical interfaces available to the virtual IT systems. The procedure varies between the different virtualisation products. However, there are two key principles to carrying out the transition from virtual to physical network components:

• By means of direct assignment of virtual to physical networks: The network card of a virtual IT system is directly assigned to a physical interface of the virtualisation server.
• By means of indirect assignment: The (virtual) network cards of the virtual IT systems are connected to a virtual switch. This is represented by the virtualisation server in the software. The virtual switch in turn may be connected to the physical network using a physical network card. Since a virtual switch does not necessarily have to have a physical network transition, a network can be realised in this manner; in this network, the virtual IT systems connected to it do not have any connection to the outside. Such a configuration can be used, for example, for test systems that do not need external connections.

Within the administration software of the virtualisation server, the network interfaces of the virtual IT systems are assigned to the physical interfaces of the virtualisation server. If this assignment is not carried out correctly, a virtual machine might be connected to a wrong network. If, for instance, an Intranet web server with confidential data which is to be operated only in the internal network is thus connected accidentally to the Internet, bypassing the security gateway (firewall), the confidential data might be visible in the Internet.

Compared to other servers, a virtualisation server is often equipped with a large number of network cards. This large number is necessary to achieve the best possible integration of the virtualisation server into the network of the computer centre. It is thus possible to operate virtual IT systems required in different network segments on a single virtualisation server. In addition, other interfaces are required for different functions of the virtualisation servers, for example, to access the storage networks or the Live Migration allowing a running virtual IT system to be moved from one virtualisation server to another.

Because of the large number of network cards and connection of cables to switches and similar IT systems that is untypical for a server, there is an increased risk of unintentionally generating errors in the network infrastructure due to incorrect cabling. In addition to the errors listed in T 3.4 Unauthorised connection of cables and T 3.29 Lack of, or unsuitable segmentation, examples of such errors include the following:

• Using two physical network cards of the virtualisation server and a virtual switch, the coupling of two network segments is switched by mistake (bridge). These networks, however, should not be connected to each other. Connections between these networks should only be made possible by a security gateway. Because of the incorrect cabling, it is now possible to establish direct connections between systems. The actually desired segmentation of the network is suspended unintentionally.
• Two physical network cards of a virtualisation server are assigned to a virtual switch. They are connected accidentally to two different physical network segments. The virtual switch is configured in such a manner that it does not transmit the packets received on the one network interface to the other interface and thus does not establish a bridge (see above). Due to the two network interfaces connected to different network segments, the virtual switch is not clearly assigned to a physical segment. Due to this error, the load distribution mechanism of the virtual switches has the effect that the network packets of a virtual IT system connected to this switch are transmitted sometimes to the one, sometimes to the other network segment. Thus, the virtual IT system can only be reached sporadically within the network and the availability of the system is at risk.
• Several virtualisation products can detect incorrect cabling (as described in the previous two cases) and switch off one or several physical network cards in such a case. In this case, it might no longer be possible to predict which physical network segment the virtual switch is actually connected to. This can result in disconnections to the IT systems connected to the affected virtual switch.
• Using two or several virtualisation servers, a virtual infrastructure is set up. For this purpose, these severs are to be connected with several physical network segments which are assigned to virtual switches respectively. These switches are named correspondingly with the respective physical segment (switch A - segment A, switch B - segment B etc.). Due to a cabling error, the physical segment A is now connected to the virtual switch B on one of the two virtualisation servers. If the Live Migration function is now used in this virtual infrastructure, the migration process causes a virtual IT system on switch B to be located in a different physical network segment following the migration than it was before the migration. The reason for this is that switch B is connected to segment B on one virtualisation server, but is connected to segment A on the other virtualisation server. The availability of the system is thus at risk. There is also the risk that access to data provided by this system is possible in networks in which this access is actually not permitted.
• For the operation of the virtual IT systems, virtualisation servers often need connections to storage networks in which the data (configuration files, file containers of virtual hard disks) are stored. If the connections to these storage networks are cabled incorrectly, malfunctions can occur when the virtualisation servers access the storage network. This is a threat to the availability of the virtual IT systems operated on these virtualisation servers. This may affect a large number of virtual IT systems.
• Errors in the cabling of network cards used by the virtualisation servers to communicate with each other in a virtual infrastructure also have extensive consequences for their function. Thus, the Live Migration and Fault Tolerance functions are based on the synchronisation of a copy of a virtual IT system on two different virtualisation servers. Fault Tolerance is a procedure that is used to operate a virtual IT system on two virtualisation servers at the same time, with only one copy being active and the other passive. If one of the virtualisation servers fails, the copy of the virtual IT system based on the server still running transparently takes over all functions of the failed server. If the network connections using the virtualisation servers to synchronise virtual IT systems for Live Migration or Fault Tolerance are now cabled incorrectly, it is possible that these virtualisation functions do not function properly. As a result of this, the availability of the virtual IT systems is at risk.

Network connections for virtualisation servers

The network connections of the virtualisation servers are often designed redundantly, as a large number of functions of the virtual infrastructure depend on the physical interfaces. In order to increase the availability of network interfaces, several network cards are usually configured in such a manner that they can execute the function of the respectively other card alternately or even simultaneously. There are different procedures for this purpose:

• Load balancing: The MAC addresses of the virtual IT systems are distributed to the physical interfaces based on an algorithm in order to achieve as even a distribution of the load of the individual physical interfaces as possible. If one of the interfaces fails, one of the remaining interfaces takes over the task of the failed interface. Here, the network connection of the virtual IT systems is, at the very most, interrupted imperceptibly. This procedure is compatible with all common physical switches and usually does not require a special configuration of these switches. Load balancing is not specific to virtualisation, but the procedure is of particular importance for the use of virtual IT systems.
• IEEE 802.3ad (Link Aggregation Control Protocol - LACP) or Etherchannel (Cisco) are protocols in which several physical interfaces are integrated into one logical channel. These procedures usually require an adapted configuration on the connected physical switch.

Moreover, there is a number of manufacturer-specific designations for different protocols and procedures used to increase the availability of network cards, for example Bonding in the Linux environment, Teaming, Port Aggregation, Link Aggregation and Trunking. Here, some protocols require that configurations adapted correspondingly be carried out on the physical switches. The procedures are sometimes only compatible to a limited extent. If these procedures are mixed in an inadmissible manner or if there are misunderstandings between the administrators of the virtualisation servers and those of the physical network infrastructure systems, incompatibilities can arise due to malfunctions. In many cases, the disconnections resulting from this only occur sporadically and it is accordingly difficult to establish their causes.