During a meeting with a client when I was going over how packets are processed within the IOChain between a VM and a vSwitch, I was asked a question that stumped me…. what happens at Slot 3?
It’s common knowledge that the first 4 and last 3 slots in the IOchain are reserved for VMware and slots 4-12 are reserved for 3rd parties where services are inserted (or traffic redirected).
During my discussions I’ve only ever spoken about Slots 0-2 and 4-12…..
After much digging around and questioning the NSBU SEs, I was told that there was no real answer apart from it’s probably a VMware reserved slot for future use. =)
It’s also worth noting that Slot 15 used to be classed as a “reserved slot for future use” but is now intended to be used for Distributed Network Encryption when it becomes available (makes sense that encryption is the last thing that happens on the IOChain for packets leaving a VM, and decryption being the first for packets entering the VM).
Anyways, decided it’s probably worth blogging about IOChain slots. =)
So when a VM connects to a Logical switch there are several security services that each packet transverses which are implemented as IOChains processed within the vSphere kernel.
Slot 0: DVFilter – the Distibuted Virtual Filter monitors ingress/egress traffic on the protected vNIC and performs stateless filtering and ACL.
Slot 1: vmware-swsec – the Switch Security module learns the VMs IP/MAC address and captures any DHCP Ack or ARP broadcasts from the VM, redirecting the request to the NSX Controller – this is the ARP suppression feature. This slot is also where NSX IP Spoofguard is implemented.
Slot 2: vmware-sfw – this is where the NSX Distributed Firewall resides and where DFW rules are stored and enforced (so firewall rule and connection tables).
Slot 3: reserved for future use by VMware
Slot 4-12: 3rd party services – this is where traffic is redirected to 3rd party service appliances
Slot 13-14: reserved for future use by VMware
Slot 15: Distributed Network Encryption (when it becomes available)