Every now and then we get stuck trying to figure out why a virtual machine will not successfully migrate via vMotion. Determining why the vMotion migration doesn’t work can also be challenging. This is especially the case if VMware DRS is in use or vMotion is configured for a cluster. A sign of vMotion not working for a configuration requirement can be a constantly imbalanced cluster, or possibly a failed manual vMotion task.
Recently, in a lab environment, I came across a vMotion failure that was a first for me. This vMotion requirement was that the virtual switch’s policy exceptions need to match, in particular, promiscuous mode. As it turns out, a vMotion migration requires that this setting on all switches being migrated is the same. This was in use in the lab for nested ESXi virtual machines, which I utilize extensively, so most hosts had the promiscuous mode enabled. The new host in the cluster did not have it enabled. One of the requirements to be able to power on virtual machines on an ESXi virtual machine is to have promiscuous mode enabled on the virtual switch, as shown in Figure A:
This configuration requirement is easy to overlook, but can impact virtual machines that are not just virtualized ESXi servers, but any virtual machine. I’ve found a couple of ways to prevent this from happening again. One way is to dedicate specific vmnic interfaces that would hold the virtual machines that require additional security settings on virtualized switches. Another approach would be to utilize vSphere host profiles or the vNetwork distributed switching technologies, which would provide a centralized configuration for the ESXi hosts. A final option would be to script virtual switch configuration.
I found that promiscuous mode was enabled as a series of one-off configuration events in the lab environment, but for that workload it was a requirement for virtualized ESXi systems.
Because vMotion requires consistent virtual switch security configuration, steps to ensure consistent settings should be employed. What steps have you done to configure consistent virtual switch security policies? Share your comments below.