NIC - Hybrid Cloud with NVGRE - Level 400
Upcoming SlideShare
Loading in...5

NIC - Hybrid Cloud with NVGRE - Level 400



Join a true VMM Ninja and learn about network virtualization in a practical way. ...

Join a true VMM Ninja and learn about network virtualization in a practical way.
This session will walk-through the configuration parts required and also explain what happens, and more important – why and how it happens.
Windows Server and System Center are using Network Virtualization with GRE in order to fulfill the story around the Cloud OS, and must be considered as mandatory to have hybrid cloud solutions, no matter if it’s in the enterprise or as part of a hosting plan with Windows Azure Pack.
VMM is responsible for deploying, maintaining and configure the NVGRE policies across your cloud infrastructure, so everything will be performed from this single console. (Yes, you will learn a lot about networking in VMM in general during this session too).



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Technical description The concept of network virtualization consists of what we call Customer Addresses, Provider Addresses, Virtual Subnet IDs and Routing Domains Introducing and explaining Customer Addresses, Provider Addresses, Virtual Subnets and Routing Domains. A Customer Address (CA) is assigned by the customer/tenant based on their subnet, IP range and network topology. This address is only visible to the virtual machine and eventually other virtual machines within the same subnet VM Network if you allow routing. It’s important to remember that the CA is only visible to the VM and not the underlying network fabric. A Provider Address (PA) is either assigned by the administrator or by System Center Virtual Machine Manager based on the physical network infrastructure. The PA is only visible on the physical network and used when Hyper-V hosts (either stand-alone or clustered) and other devices are exchanging packets when participating in network virtualization. Virtual Subnets is identified with a unique virtual subnet ID (VSID) that is identical to the concept of physical VLAN technology that defines an IP subnet at Layer 3 and a broadcast domain boundary at Layer 2. The virtual subnet ID (VSID) must be unique within the datacenter and is in the range 4096 to 2^24-2. Routing Domains defines a relationship between the virtual subnets created by the tenants and identifies the VM network. The Routing Domain ID (RDID has a globally unique ID (GUID) within the datacenter. The network virtualization stack enables Layer 3 routing between these subnets with a default gateway (always x.x.x.1), which can’t be disabled nor configured.
  • A logical network is used to organize and simplify network assignments for hosts, virtual machines and services. As part of logical network creation, you can create network sites to define the VLANs, IP subnets, and IP subnet/VLAN pairs that are associated with the logical network in each physical location.One connected network is primarily intended for multiple sites where you want VMM to pick the correct subnet-vlan for you. This is the case for VM deployment, and network virtualization PA address assignment. In this case you are picking where you want the workload located and VMM will pick the appropriate subnet-vlan. Independent VLANs are for the case where you know which subnet-vlan you want and don't want VMM to make any assumptions about routing. Routing may or may not exist. This is primarily used for VLANs assigned to specific tenants. In this case you pick the network and VMM will find the appropriate location.For infrastructure networks you can go either way.
  • A port profile for uplinks (also called an uplink port profile) specifies which logical networks can connect through a particular physical network adapter.After you create an uplink port profile, add it to a logical switch, which places it in a list of profiles that are available through that logical switch. When you apply the logical switch to a network adapter in a host, the uplink port profile is available in the list of profiles, but it is not applied to that network adapter until you select it from the list. This helps you to create consistency in the configurations of network adapters across multiple hosts, but it also enables you to configure each network adapter according to your specific requirements.A port profile for virtual network adapters specifies capabilities for those adapters and makes it possible for you to control how bandwidth is used on the adapters. The capabilities include offload settings, security settings and bandwidth settings.A port classification provides a global name for identifying different types of virtual network adapter port profiles. As a result, a classification can be used across multiple logical switches while the settings for the classification remain specific to each logical switch.
  • A logical switch brings port profiles, port classifications, and switch extensions together so that you can apply them consistently to network adapters on multiple host systems.Note that when you add an uplink port profile to a logical switch, this places the uplink port profile in a list of profiles that are available through that logical switch.
  • VM networks enable you to use network virtualization, which extends the concept of server virtualization to make it possible to deploy multiple virtual networks (VM networks) on the same physical network.
  • Optimal performance when you have 1 (or more) PAs per NIC in the team - Ex. A NIC team of 2 NICs should have 2 or more PAs and the CAs spread between them
  • Provide tenant traffic isolation per compartmentAllow overlapping IP addressesEnabled through Windows Server 2012 R2 Hyper-V host

NIC - Hybrid Cloud with NVGRE - Level 400 NIC - Hybrid Cloud with NVGRE - Level 400 Presentation Transcript

  • Kristian Nese CTO, MVP Lumagate Hybrid Cloud with NVGRE (WSSC 2012 R2) Based on the Whitepaper @KristianNese
  • Dynamic VLAN Reconfiguration is Cumbersome Aggregation Switches VLAN tags ToR ToR VMs Topology limits VM placement and requires reconfiguration of production switches
  • Session Objectives • Business requirements • Explaining the technology and features involved • VMM Networking, (HUGE TOPIC!) Configuration and Setup • Network Virtualization in Windows Server Hyper-V 2012 R2 and VMM 2012 R2 • Microsoft Multi-Tenant Gateway
  • Business Requirements
  • Business Requirements Enterprises  In a Private Cloud, datacenter consolidation can easier be achieved by using network virtualization  Increment integration of acquired company network infrastructure  Extension of datacenter into hybrid cloud Service Providers  Tenants can bring their own network topology, and eventually manage their own networks (VM networks).  Share a single physical network securely across multi tenants Workload owners and tenants  Seamless migration to the cloud  Move n-tier topology to the cloud  Preserve policies, VM settings, IP addresses Cloud and Datacenter Administrators  Decoupling of server and network admin roles increases agility  Flexible VM placement without network reconfiguration  Reduce costs for management and support
  • Explaining the technology and features involved
  • Explaining the technology and features involved           NIC teaming (WS 2012 R2) QoS (WS 2012 R2) Virtual Switch Extensions (WS 2012 R2) Virtualization Gateway in RRAS (WS 2012 R2) Hyper-V Network Virtualization (WS 2012 R2) Logical Networks (VMM 2012 R2) Port Profiles (VMM 2012 R2) Logical Switches (VMM 2012 R2) Network Services (VMM 2012 R2) Service Templates (VMM 2012 R2)
  • VMM Networking
  • Isolation Types in VMM
  • Where and What Isolation We Should Use? Load balancer back end and internet facing
  • Logical Networks • Models the physical Network • Separates like subnets and VLANs into named objects that can be scoped to a site • Container for fabric static IP address pools • VM networks are created on logical network
  • Port Profiles and Classifications • Two Port Profile Types • • • Uplink Virtual • Container for port profile settings Reusable Exposed to tenants through cloud Port Classifications • •
  • Logical Switch • Central container for virtual switch settings • Consistent port profiles across data center • Consistent extensions • Compliance enforcement
  • VM Networks, VM Subnets and IP Pools
  • NVGRE in Windows Server 2012 R2 and VMM 2012 R2
  • Virtualize Customer Addresses Blue Corp Red Corp Blue Red Provider Address Space (PA) System Center Datacenter Network Virtualization Policy Blue Red Host 1 Host 2 Blue Blue Red Red Blue1 Red1 Blue2 Customer Address Space (CA) Red2
  • Hyper-V Network Virtualization Concepts • Customer VM Network • One or more virtual subnets forming an isolation boundary • A customer may have multiple Customer VM Networks • • e.g. Blue R&D and Blue Sales are isolated from each other Virtual Subnet • Broadcast boundary Customer VM Network Hoster Datacenter Blue Corp Blue R&D Net Blue Subnet1 Virtual Subnet Blue Subnet2 Blue Subnet3 Red Corp Blue Sales Net Red HR Net Blue Subnet5 Red Subnet2 Blue Subnet4 Red Subnet1
  • Hyper-V Network Virtualization Concept  GRE Key 5001 MACCA  GRE Key 6001 MACCA 
  • Network Virtualization Improvements in Windows Server 2012 R2 Hyper-V • Network Virtualization is now virtual switch extension • Hyper-V network virtualization and forwarding extensions can coexist • Hyper-V Network Virtualization enabled by default • Broadcast/Multicast Support • Dynamic IP Address Learning • Support for Guest Clustering • DHCP inside VM Networks • Inbound and outbound spread on virtualized traffic • Higher performance with teamed NICs • Utilizes LBFO’s new Dynamic Mode
  • Network Virtualization Improvements in Windows Server 2012 R2 Hyper-V • Provider Addresses configured with a MAC address • *-NetVirtualizationProviderAddresscmdlets updated to take a MAC address • Optimal performance when you have 1 (or more) PAs per NIC in the team • Enhanced diagnostics - Test-VMNetworkAdapter and Select-NetVirtualizationNextHop • NVGRE Encapsulated Task Offload – Available in 2012 but recently Emulex and Mellanox have announced products supporting NVGRE Task Offload
  • Network Virtualization Improvements in VMM 2012 R2 • Improved HNV policy applying • All network devices* and services are now “network services” • Highly available Multi-Tenant Gateway • Full IPAM Integration • In-box plugin for Microsoft IPAM • Exchange logical networks, sites and subnets • More error resistant VMM Server
  • Microsoft Multi-Tenant Gateway
  • Hybrid Networking in WS2012 R2 • Multitenant S2S network virtualization GW • Clustering for high availability on guest and host level • Uses BGP for dynamic routes update • Multitenant aware NAT for Internet access • Integration with VMM 2012 R2 • Up to 200 S2S VPN Connections, 50 Routing domains and 500 virtual subnets BGP Contoso VM Network Northwind VM Network Fabrikam VM Network Internet Hoster
  • Multi-Tenant Networking Stack TCP/IP VM Hyper-V
  • Multi-Tenant Networking Stack Default Compartment Compartment for Tenant VM Network TCP/IP Compartment for Tenant VM Network VM Hyper-V switch
  • Network Virtualization Gateway Layout GW Cluster01 – Active-Passive Multi-Tenant PVN Gateway VM01 Multi-Tenant PVN Gateway VM02 GW Cluster02 – Active-Passive Multi-Tenant PVN Gateway VM03 Multi-Tenant PVN Gateway VM04 GW Cluster03 – Active-Passive Multi-Tenant PVN Gateway VM05 Multi-Tenant PVN Gateway VM06 HV Cluster Host PA/ Tenant Network Management Host PA/ Tenant Network External Management
  • IPsec Parameters for S2S VPNs IKE Phase 1 Setup IKE Phase 2 Setup Property Setting IKE Version IKEv2 Hashing Algorithm SHA1(SHA128) Group 2 (1024 bit) Phase 2 Security Association (SA) Lifetime (Time) - Authentication Method Pre-Shared Key Phase 2 Security Association (SA) Lifetime (Throughput) - Encryption Algorithms AES256 3DES IPsec SA Encryption & Authentication Offers (in the order of preference) Hashing Algorithm SHA1(SHA128) See Dynamic Routing Gateway IPsec Security Association (SA) Offers Phase 1 Security Association (SA) Lifetime (Time) Perfect Forward Secrecy (PFS) No 28,800 seconds Dead Peer Detection Supported Property Setting IKE Version IKEv2 Diffie-Hellman Group
  • Known Compatible VPN Devices Vendor Device Family Minimum OS Version Configuration Template Cisco ASR IOS 15.2 Cisco ASR templates Cisco ISR IOS 15.1 Cisco ISR templates Juniper SRX JunOS 11.4 Juniper SRX templates Juniper J-Series JunOS 11.4 Juniper J-series templates Juniper ISG ScreenOS 6.3 Juniper ISG templates Juniper ISG ScreenOS 6.3 Juniper SSG templates Microsoft Routing and Remote Access Service Windows Server 2012 Routing and Remote Access Service templates
  • DEMO
  • Summary
  • Check Out Our Whitepaper Hybrid Cloud with NVGRE (WSSC 2012 R2)
  • Questions
  • Thank you!
  • Please evaluate the session before you leave  @KristianNese Hybrid Cloud with NVGRE – whitepaper: