NIC - Hybrid Cloud with NVGRE - Level 400


Published on

Join a true VMM Ninja and learn about network virtualization in a practical way.
This session will walk-through the configuration parts required and also explain what happens, and more important – why and how it happens.
Windows Server and System Center are using Network Virtualization with GRE in order to fulfill the story around the Cloud OS, and must be considered as mandatory to have hybrid cloud solutions, no matter if it’s in the enterprise or as part of a hosting plan with Windows Azure Pack.
VMM is responsible for deploying, maintaining and configure the NVGRE policies across your cloud infrastructure, so everything will be performed from this single console. (Yes, you will learn a lot about networking in VMM in general during this session too).

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Technical description The concept of network virtualization consists of what we call Customer Addresses, Provider Addresses, Virtual Subnet IDs and Routing Domains Introducing and explaining Customer Addresses, Provider Addresses, Virtual Subnets and Routing Domains. A Customer Address (CA) is assigned by the customer/tenant based on their subnet, IP range and network topology. This address is only visible to the virtual machine and eventually other virtual machines within the same subnet VM Network if you allow routing. It’s important to remember that the CA is only visible to the VM and not the underlying network fabric. A Provider Address (PA) is either assigned by the administrator or by System Center Virtual Machine Manager based on the physical network infrastructure. The PA is only visible on the physical network and used when Hyper-V hosts (either stand-alone or clustered) and other devices are exchanging packets when participating in network virtualization. Virtual Subnets is identified with a unique virtual subnet ID (VSID) that is identical to the concept of physical VLAN technology that defines an IP subnet at Layer 3 and a broadcast domain boundary at Layer 2. The virtual subnet ID (VSID) must be unique within the datacenter and is in the range 4096 to 2^24-2. Routing Domains defines a relationship between the virtual subnets created by the tenants and identifies the VM network. The Routing Domain ID (RDID has a globally unique ID (GUID) within the datacenter. The network virtualization stack enables Layer 3 routing between these subnets with a default gateway (always x.x.x.1), which can’t be disabled nor configured.
  • A logical network is used to organize and simplify network assignments for hosts, virtual machines and services. As part of logical network creation, you can create network sites to define the VLANs, IP subnets, and IP subnet/VLAN pairs that are associated with the logical network in each physical location.One connected network is primarily intended for multiple sites where you want VMM to pick the correct subnet-vlan for you. This is the case for VM deployment, and network virtualization PA address assignment. In this case you are picking where you want the workload located and VMM will pick the appropriate subnet-vlan. Independent VLANs are for the case where you know which subnet-vlan you want and don't want VMM to make any assumptions about routing. Routing may or may not exist. This is primarily used for VLANs assigned to specific tenants. In this case you pick the network and VMM will find the appropriate location.For infrastructure networks you can go either way.
  • A port profile for uplinks (also called an uplink port profile) specifies which logical networks can connect through a particular physical network adapter.After you create an uplink port profile, add it to a logical switch, which places it in a list of profiles that are available through that logical switch. When you apply the logical switch to a network adapter in a host, the uplink port profile is available in the list of profiles, but it is not applied to that network adapter until you select it from the list. This helps you to create consistency in the configurations of network adapters across multiple hosts, but it also enables you to configure each network adapter according to your specific requirements.A port profile for virtual network adapters specifies capabilities for those adapters and makes it possible for you to control how bandwidth is used on the adapters. The capabilities include offload settings, security settings and bandwidth settings.A port classification provides a global name for identifying different types of virtual network adapter port profiles. As a result, a classification can be used across multiple logical switches while the settings for the classification remain specific to each logical switch.
  • A logical switch brings port profiles, port classifications, and switch extensions together so that you can apply them consistently to network adapters on multiple host systems.Note that when you add an uplink port profile to a logical switch, this places the uplink port profile in a list of profiles that are available through that logical switch.
  • VM networks enable you to use network virtualization, which extends the concept of server virtualization to make it possible to deploy multiple virtual networks (VM networks) on the same physical network.
  • Optimal performance when you have 1 (or more) PAs per NIC in the team - Ex. A NIC team of 2 NICs should have 2 or more PAs and the CAs spread between them
  • Provide tenant traffic isolation per compartmentAllow overlapping IP addressesEnabled through Windows Server 2012 R2 Hyper-V host
  • NIC - Hybrid Cloud with NVGRE - Level 400

    1. 1. Kristian Nese CTO, MVP Lumagate Hybrid Cloud with NVGRE (WSSC 2012 R2) Based on the Whitepaper @KristianNese
    2. 2. Dynamic VLAN Reconfiguration is Cumbersome Aggregation Switches VLAN tags ToR ToR VMs Topology limits VM placement and requires reconfiguration of production switches
    3. 3. Session Objectives • Business requirements • Explaining the technology and features involved • VMM Networking, (HUGE TOPIC!) Configuration and Setup • Network Virtualization in Windows Server Hyper-V 2012 R2 and VMM 2012 R2 • Microsoft Multi-Tenant Gateway
    4. 4. Business Requirements
    5. 5. Business Requirements Enterprises  In a Private Cloud, datacenter consolidation can easier be achieved by using network virtualization  Increment integration of acquired company network infrastructure  Extension of datacenter into hybrid cloud Service Providers  Tenants can bring their own network topology, and eventually manage their own networks (VM networks).  Share a single physical network securely across multi tenants Workload owners and tenants  Seamless migration to the cloud  Move n-tier topology to the cloud  Preserve policies, VM settings, IP addresses Cloud and Datacenter Administrators  Decoupling of server and network admin roles increases agility  Flexible VM placement without network reconfiguration  Reduce costs for management and support
    6. 6. Explaining the technology and features involved
    7. 7. Explaining the technology and features involved           NIC teaming (WS 2012 R2) QoS (WS 2012 R2) Virtual Switch Extensions (WS 2012 R2) Virtualization Gateway in RRAS (WS 2012 R2) Hyper-V Network Virtualization (WS 2012 R2) Logical Networks (VMM 2012 R2) Port Profiles (VMM 2012 R2) Logical Switches (VMM 2012 R2) Network Services (VMM 2012 R2) Service Templates (VMM 2012 R2)
    8. 8. VMM Networking
    9. 9. Isolation Types in VMM
    10. 10. Where and What Isolation We Should Use? Load balancer back end and internet facing
    11. 11. Logical Networks • Models the physical Network • Separates like subnets and VLANs into named objects that can be scoped to a site • Container for fabric static IP address pools • VM networks are created on logical network
    12. 12. Port Profiles and Classifications • Two Port Profile Types • • • Uplink Virtual • Container for port profile settings Reusable Exposed to tenants through cloud Port Classifications • •
    13. 13. Logical Switch • Central container for virtual switch settings • Consistent port profiles across data center • Consistent extensions • Compliance enforcement
    14. 14. VM Networks, VM Subnets and IP Pools
    15. 15. NVGRE in Windows Server 2012 R2 and VMM 2012 R2
    16. 16. Virtualize Customer Addresses Blue Corp Red Corp Blue Red Provider Address Space (PA) System Center Datacenter Network Virtualization Policy Blue Red Host 1 Host 2 Blue Blue Red Red Blue1 Red1 Blue2 Customer Address Space (CA) Red2
    17. 17. Hyper-V Network Virtualization Concepts • Customer VM Network • One or more virtual subnets forming an isolation boundary • A customer may have multiple Customer VM Networks • • e.g. Blue R&D and Blue Sales are isolated from each other Virtual Subnet • Broadcast boundary Customer VM Network Hoster Datacenter Blue Corp Blue R&D Net Blue Subnet1 Virtual Subnet Blue Subnet2 Blue Subnet3 Red Corp Blue Sales Net Red HR Net Blue Subnet5 Red Subnet2 Blue Subnet4 Red Subnet1
    18. 18. Hyper-V Network Virtualization Concept  GRE Key 5001 MACCA  GRE Key 6001 MACCA 
    19. 19. Network Virtualization Improvements in Windows Server 2012 R2 Hyper-V • Network Virtualization is now virtual switch extension • Hyper-V network virtualization and forwarding extensions can coexist • Hyper-V Network Virtualization enabled by default • Broadcast/Multicast Support • Dynamic IP Address Learning • Support for Guest Clustering • DHCP inside VM Networks • Inbound and outbound spread on virtualized traffic • Higher performance with teamed NICs • Utilizes LBFO’s new Dynamic Mode
    20. 20. Network Virtualization Improvements in Windows Server 2012 R2 Hyper-V • Provider Addresses configured with a MAC address • *-NetVirtualizationProviderAddresscmdlets updated to take a MAC address • Optimal performance when you have 1 (or more) PAs per NIC in the team • Enhanced diagnostics - Test-VMNetworkAdapter and Select-NetVirtualizationNextHop • NVGRE Encapsulated Task Offload – Available in 2012 but recently Emulex and Mellanox have announced products supporting NVGRE Task Offload
    21. 21. Network Virtualization Improvements in VMM 2012 R2 • Improved HNV policy applying • All network devices* and services are now “network services” • Highly available Multi-Tenant Gateway • Full IPAM Integration • In-box plugin for Microsoft IPAM • Exchange logical networks, sites and subnets • More error resistant VMM Server
    22. 22. Microsoft Multi-Tenant Gateway
    23. 23. Hybrid Networking in WS2012 R2 • Multitenant S2S network virtualization GW • Clustering for high availability on guest and host level • Uses BGP for dynamic routes update • Multitenant aware NAT for Internet access • Integration with VMM 2012 R2 • Up to 200 S2S VPN Connections, 50 Routing domains and 500 virtual subnets BGP Contoso VM Network Northwind VM Network Fabrikam VM Network Internet Hoster
    24. 24. Multi-Tenant Networking Stack TCP/IP VM Hyper-V
    25. 25. Multi-Tenant Networking Stack Default Compartment Compartment for Tenant VM Network TCP/IP Compartment for Tenant VM Network VM Hyper-V switch
    26. 26. Network Virtualization Gateway Layout GW Cluster01 – Active-Passive Multi-Tenant PVN Gateway VM01 Multi-Tenant PVN Gateway VM02 GW Cluster02 – Active-Passive Multi-Tenant PVN Gateway VM03 Multi-Tenant PVN Gateway VM04 GW Cluster03 – Active-Passive Multi-Tenant PVN Gateway VM05 Multi-Tenant PVN Gateway VM06 HV Cluster Host PA/ Tenant Network Management Host PA/ Tenant Network External Management
    27. 27. IPsec Parameters for S2S VPNs IKE Phase 1 Setup IKE Phase 2 Setup Property Setting IKE Version IKEv2 Hashing Algorithm SHA1(SHA128) Group 2 (1024 bit) Phase 2 Security Association (SA) Lifetime (Time) - Authentication Method Pre-Shared Key Phase 2 Security Association (SA) Lifetime (Throughput) - Encryption Algorithms AES256 3DES IPsec SA Encryption & Authentication Offers (in the order of preference) Hashing Algorithm SHA1(SHA128) See Dynamic Routing Gateway IPsec Security Association (SA) Offers Phase 1 Security Association (SA) Lifetime (Time) Perfect Forward Secrecy (PFS) No 28,800 seconds Dead Peer Detection Supported Property Setting IKE Version IKEv2 Diffie-Hellman Group
    28. 28. Known Compatible VPN Devices Vendor Device Family Minimum OS Version Configuration Template Cisco ASR IOS 15.2 Cisco ASR templates Cisco ISR IOS 15.1 Cisco ISR templates Juniper SRX JunOS 11.4 Juniper SRX templates Juniper J-Series JunOS 11.4 Juniper J-series templates Juniper ISG ScreenOS 6.3 Juniper ISG templates Juniper ISG ScreenOS 6.3 Juniper SSG templates Microsoft Routing and Remote Access Service Windows Server 2012 Routing and Remote Access Service templates
    29. 29. DEMO
    30. 30. Summary
    31. 31. Check Out Our Whitepaper Hybrid Cloud with NVGRE (WSSC 2012 R2)
    32. 32. Questions
    33. 33. Thank you!
    34. 34. Please evaluate the session before you leave  @KristianNese Hybrid Cloud with NVGRE – whitepaper: