2. Microsoft
Virtual
Academy
First Half Second Half
(01) Introduction to Microsoft Virtualization (05) Hyper-V Management
(02) Hyper-V Infrastructure
(06) Hyper-V High Availability
and Live Migration
(03) Hyper-V Networking
(07) Integration with System Center 2012
Virtual Machine Manager
(04) Hyper-V Storage
(08) Integration with Other
System Center 2012 Components
** MEAL BREAK **
7. Synthetic Adapters Legacy (Emulated)
Adapters
Windows Server 2003 SP2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Linux (SLES 10, 11)
RHEL 5.x/6.x
CentOS 5.x/6.x
Windows XP
Windows Vista
Windows 7
Windows 8
OpenSUSE
Etc.
8. • How do I ensure
network multi-tenancy?
• IP Address
Management is a pain.
• What if VMs are
competing for
bandwidth?
• Fully Leverage Network
Fabric
• How do I integrate with
existing fabric?
• Network Metering?
• Can I dedicate a NIC to
a workload?
9. Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
10. Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
TEAMING
11. Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
15
25
$$
$$$$
12. Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
17. Physical
network
Physical
server
Woodgrove VM Contoso VM Woodgrove network Contoso network
Hyper-V Machine Virtualization
• Run multiple virtual servers on a physical server
• Each VM has illusion it is running as a physical
server
Hyper-V Network Virtualization
• Run multiple virtual networks on a physical network
• Each virtual network has illusion it is running as a physical fabric
18.
19.
20. Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
21.
22. Hyper-V Extensible Switch
PVLANS
ARP/ND
Poisoning
Protection
DHCP Guard
Protection
Virtual Port ACLs
Trunk Mode
to Virtual
Machines
Monitoring &
Port Mirroring
Windows PowerShell & WMI Management
The Hyper-V
Extensible Switch
allows a deeper
integration with
customers’
existing network
infrastructure,
monitoring, and
security tools
23. Physical NIC
Root Partition
Extensible Switch
Extension Protocol
Extension Miniport
Host NICVM NIC
VM1
VM NIC
VM2 Capture extensions can inspect traffic and
generate new traffic for report purposes
Capture extensions do not modify existing
Extensible Switch traffic
Example: sflow by inMon
Windows Filter Platform (WFP) Extensions can inspect,
drop, modify, and insert packets using WFP APIs
Windows Antivirus and Firewall software uses WFP for
traffic filtering
Example: Virtual Firewall by 5NINE Software
Forwarding extensions direct traffic, defining the
destination(s) of each packet
Forwarding extensions can capture and filter traffic
Examples:
– Cisco Nexus 1000V and UCS
– NEC ProgrammableFlow's vPFS OpenFlow
Capture Extensions
(NDIS)
Windows Filter
Platform (WFP)
Forwarding ExtensionsForwarding Extensions
(NDIS)
Filtering Engine
BFE Service Firewall
Callout
24. • Open, Extensible Virtual
Switch
• Nexus 1000 Support
• Openflow Support
• Network Introspection
• Much more…
• Advanced Networking
• ACLs
• PVLAN
• …much more…
• Windows NIC Teaming
• Network QoS
• Per VNIC bandwidth reservation &
limits
• Network Metering
• DVMQ
• SR-IOV Network Support
• Reduce Latency & CPU Utilization
• Supports Live Migration
25. • Reduces latency of network
path
• Reduces CPU utilization for
processing network traffic
• Increases throughput
• Supports Live Migration
Network I/O path with SR-IOVNetwork I/O path without SR-IOV
Physical NIC
Root Partition
Hyper-V Switch
Routing
VLAN Filtering
Data Copy
Virtual Machine
Virtual NIC
SR-IOV Physical NIC
Virtual Function
26. Virtual Machine
Network Stack
Software NIC
Enable IOV (VM NIC Property)
Virtual Function is “Assigned”
Team automatically created
Traffic flows through VF
Turn On IOV
Break Team Reassign Virtual Function
Assuming resources are available
Migrate as normal
Live Migration Post Migration
Remove VF from VM
VM has connectivity even if
Switch not in IOV mode
IOV physical NIC not present
Different NIC vendor
Different NIC firmware
SR-IOV Enabling & Live Migration
SR-IOV Physical NICPhysical NIC
Software Switch
(IOV Mode)
“TEAM”Software NIC
Virtual Function
SR-IOV Physical NIC
Software Switch
(IOV Mode)
“TEAM”
Virtual Function
Software path is not used
27.
28. IPsec Task Offload: Microsoft expects
deployment of Internet Protocol security
(IPsec) to increase significantly in the coming
years. The large demands placed on the CPU
by the IPsec integrity and encryption
algorithms can reduce the performance of
your network connections. IPsec Task Offload
is a technology built into the Windows
operating system that moves this workload
from the main computer's CPU to a
dedicated processor on the network adapter.
SR-IOV is a specification that allows a PCIe
device to appear to be multiple separate
physical PCIe devices. The SR-IOV
specification was created and is maintained
by the PCI SIG, with the idea that a standard
specification will help promote
interoperability. SR-IOV works by introducing
the idea of physical functions (PFs) and virtual
functions (VFs). Physical functions (PFs) are
full-featured PCIe functions; virtual functions
(VFs) are “lightweight” functions that lack
configuration resources.
Dynamic Virtual Machine Queue
(VMQ) dVMQ uses hardware packet
filtering to deliver packet data from an
external virtual machine network
directly to virtual machines, which
reduces the overhead of routing
packets and copying them from the
management operating system to the
virtual machine.
37. Networking Performance
Dynamic
VMq
IPsec Task
Offload
SR-IOV Support
The Hyper-V
Extensible Switch
takes advantage
of hardware
innovation to drive
the highest levels
of networking
performance
within virtual
machines
Dynamically span multiple CPUs when processing
virtual machine network traffic
Offload IPsec processing from within virtual machine,
to physical network adaptor, enhancing performance
Map virtual function of an SR-IOV-capable physical
network adaptor, directly to a virtual machine
38.
39.
40. Windows Server 2008 Windows Server 2008 R2 Windows Server 2012
NIC Teaming Yes, via partners Yes, via partners Windows NIC Teaming in box.
VLAN Tagging Yes Yes Yes
MAC Spoofing Protection No Yes, with R2 SP1 Yes
ARP Spoofing Protection No Yes, with R2 SP1 Yes
SR-IOV Networking No No Yes
Network QoS No No Yes
Network Metering No No Yes
Network Monitor Modes No No Yes
IPsec Task Offload No No Yes
VM Trunk Mode No No Yes
41. Hyper-V is fully integrated in the Windows network
stack
Use the synthetic network adapter
Use VLAN tagging & firewall rules for security
Windows Server 2012 includes inbox NIC Teaming for
load balancing and failover
VMQ provides great performance for most workloads
SR-IOV for low latency, high throughput workloads
: Customers don’t want to be impacted by the hosters hardware problems. Hosters want to differentiate by being able to offer always up/on guarantees while accounting for potential hardware failures in the network.
: Great opportunity to talk about the cloud admins ability to offer differentiated services esp around network workloads on shared infrastructure. For the first time a “Gold” customer can be hosted on the same hardware as a “Bronze” customer without any worry that the “Bronze” customer can impact the networking guarantee of the “Gold” customer.
A VLAN ID is the integer which uniquely identifies a node as belonging to a particular VLAN. As per the 802.1Q specification, the VLAN ID itself is encapsulated within the Ethernet frame, which is how multiple VMs using the same physical NIC can communication on different VLANs simultaneously.
First, you need physical NICs which support VLAN tagging and you need to enable the feature. However, you should generally not set the VLAN ID at the physical NIC; it should be set on either the virtual switch or the individual virtual machine’s configuration. The VLAN ID on the virtual switch is what the host or parent partition uses. The VLAN ID setting on the individual virtual machine’s settings is what each VM will use.When creating an external network in Hyper-V, a virtual network switch is created and bound to the selected physical adapter. A new virtual network adapter is created in the parent partition and connected to the virtual network switch. Child partitions can be bound to the virtual network switch by using virtual network adapters. Hyper-V also supports the use of VLANs and VLAN IDs with the virtual network switch and virtual network adapters. Hyper-V leverages 802.1q VLAN trunking to achieve this objective.
VLAN Tags are used to improve security by isolated specific hosts on specific networksTags need to be configured on both the VM and host
DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard offSet-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard On
ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing.The Hyper-V Extensible Switch provides protection against a malicious virtual machine stealing IP addresses from other virtual machines through ARP spoofing (also known as ARP poisoning in IPv4). With this type of man-in-the-middle attack, a malicious virtual machine sends a fake ARP message, which associates its own MAC address to an IP address that it doesn’t own. Unsuspecting virtual machines send network traffic targeted to that IP address to the MAC address of the malicious virtual machine instead of the intended destination. For IPv6, Windows Server 2012 provides equivalent protection for ND spoofing.
Event Tracing for Windows (ETW) provides application programmers the ability to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis.
In Windows Server 2012, a new parameter is added to the Netsh Trace commands that are provided in Windows Server 2008 R2. The new parameter extends tracing capabilities and enables network administrators more efficiently capture network traffic, making the process of troubleshooting network issues more effective and efficient. In Windows Server 2012, you can use the new Netsh Trace parameter, capturetype, to capture:Physical computer traffic (traffic that originates or terminates on the physical computer)Virtual machine traffic (traffic that originates or terminates on virtual machines)Traffic that traverses the Hyper-V virtual switchThe combination of these new capabilities with the tracing capabilities that are provided in Windows Server 2008 R2 is known as Unified Tracing.