Microsoft
Virtual
Academy
Microsoft
Virtual
Academy
First Half Second Half
(01) Introduction to Microsoft Virtualization (05) Hyper-V Management
(02...
Microsoft
Virtual
Academy
Synthetic Adapters Legacy (Emulated)
Adapters
Windows Server 2003 SP2
Windows Server 2008
Windows Server 2008 R2
Windows S...
• How do I ensure
network multi-tenancy?
• IP Address
Management is a pain.
• What if VMs are
competing for
bandwidth?
• F...
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
TEAMING
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
15
25
$$
$$$$
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Cloud Data Center
Woodgrove Bank
Blue 10.1.0.0/16
Contoso Bank
Red 10.1.0.0/16
u
Win 8 Host
Blue
10.1.1.21
Red1
10.1.1.11
To Internet (10.1.1.1)
Hyper-V Switch
Red2
10.1.1.12
Green
10.1.1.31
Isolated
4...
Physical
network
Physical
server
Woodgrove VM Contoso VM Woodgrove network Contoso network
Hyper-V Machine Virtualization
...
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Hyper-V Extensible Switch
PVLANS
ARP/ND
Poisoning
Protection
DHCP Guard
Protection
Virtual Port ACLs
Trunk Mode
to Virtual...
Physical NIC
Root Partition
Extensible Switch
Extension Protocol
Extension Miniport
Host NICVM NIC
VM1
VM NIC
VM2  Captur...
• Open, Extensible Virtual
Switch
• Nexus 1000 Support
• Openflow Support
• Network Introspection
• Much more…
• Advanced ...
• Reduces latency of network
path
• Reduces CPU utilization for
processing network traffic
• Increases throughput
• Suppor...
Virtual Machine
Network Stack
Software NIC
 Enable IOV (VM NIC Property)
 Virtual Function is “Assigned”
 Team automati...
IPsec Task Offload: Microsoft expects
deployment of Internet Protocol security
(IPsec) to increase significantly in the co...
Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source
Add-VMNetworkAdapterAcl
Set-VMNetworkAdapterVlan
Set-VMNetworkAdapterVlan
Networking Performance
Dynamic
VMq
IPsec Task
Offload
SR-IOV Support
The Hyper-V
Extensible Switch
takes advantage
of hard...
Windows Server 2008 Windows Server 2008 R2 Windows Server 2012
NIC Teaming Yes, via partners Yes, via partners Windows NIC...
Hyper-V is fully integrated in the Windows network
stack
Use the synthetic network adapter
Use VLAN tagging & firewall rul...
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other pro...
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Hyper-V Networking
Upcoming SlideShare
Loading in …5
×

Hyper-V Networking

934 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
934
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • : Customers don’t want to be impacted by the hosters hardware problems. Hosters want to differentiate by being able to offer always up/on guarantees while accounting for potential hardware failures in the network.
  • : Great opportunity to talk about the cloud admins ability to offer differentiated services esp around network workloads on shared infrastructure. For the first time a “Gold” customer can be hosted on the same hardware as a “Bronze” customer without any worry that the “Bronze” customer can impact the networking guarantee of the “Gold” customer.
  • A VLAN ID is the integer which uniquely identifies a node as belonging to a particular VLAN. As per the 802.1Q specification, the VLAN ID itself is encapsulated within the Ethernet frame, which is how multiple VMs using the same physical NIC can communication on different VLANs simultaneously.
  • First, you need physical NICs which support VLAN tagging and you need to enable the feature. However, you should generally not set the VLAN ID at the physical NIC; it should be set on either the virtual switch or the individual virtual machine’s configuration. The VLAN ID on the virtual switch is what the host or parent partition uses. The VLAN ID setting on the individual virtual machine’s settings is what each VM will use.When creating an external network in Hyper-V, a virtual network switch is created and bound to the selected physical adapter. A new virtual network adapter is created in the parent partition and connected to the virtual network switch. Child partitions can be bound to the virtual network switch by using virtual network adapters. Hyper-V also supports the use of VLANs and VLAN IDs with the virtual network switch and virtual network adapters. Hyper-V leverages 802.1q VLAN trunking to achieve this objective.
  • VLAN Tags are used to improve security by isolated specific hosts on specific networksTags need to be configured on both the VM and host
  • DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard offSet-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard On
  • ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing.The Hyper-V Extensible Switch provides protection against a malicious virtual machine stealing IP addresses from other virtual machines through ARP spoofing (also known as ARP poisoning in IPv4). With this type of man-in-the-middle attack, a malicious virtual machine sends a fake ARP message, which associates its own MAC address to an IP address that it doesn’t own. Unsuspecting virtual machines send network traffic targeted to that IP address to the MAC address of the malicious virtual machine instead of the intended destination. For IPv6, Windows Server 2012 provides equivalent protection for ND spoofing.
  • Event Tracing for Windows (ETW) provides application programmers the ability to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis.
  • In Windows Server 2012, a new parameter is added to the Netsh Trace commands that are provided in Windows Server 2008 R2. The new parameter extends tracing capabilities and enables network administrators more efficiently capture network traffic, making the process of troubleshooting network issues more effective and efficient. In Windows Server 2012, you can use the new Netsh Trace parameter, capturetype, to capture:Physical computer traffic (traffic that originates or terminates on the physical computer)Virtual machine traffic (traffic that originates or terminates on virtual machines)Traffic that traverses the Hyper-V virtual switchThe combination of these new capabilities with the tracing capabilities that are provided in Windows Server 2008 R2 is known as Unified Tracing.
  • Hyper-V Networking

    1. 1. Microsoft Virtual Academy
    2. 2. Microsoft Virtual Academy First Half Second Half (01) Introduction to Microsoft Virtualization (05) Hyper-V Management (02) Hyper-V Infrastructure (06) Hyper-V High Availability and Live Migration (03) Hyper-V Networking (07) Integration with System Center 2012 Virtual Machine Manager (04) Hyper-V Storage (08) Integration with Other System Center 2012 Components ** MEAL BREAK **
    3. 3. Microsoft Virtual Academy
    4. 4. Synthetic Adapters Legacy (Emulated) Adapters Windows Server 2003 SP2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Linux (SLES 10, 11) RHEL 5.x/6.x CentOS 5.x/6.x Windows XP Windows Vista Windows 7 Windows 8 OpenSUSE Etc.
    5. 5. • How do I ensure network multi-tenancy? • IP Address Management is a pain. • What if VMs are competing for bandwidth? • Fully Leverage Network Fabric • How do I integrate with existing fabric? • Network Metering? • Can I dedicate a NIC to a workload?
    6. 6. Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads
    7. 7. Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads TEAMING
    8. 8. Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads 15 25 $$ $$$$
    9. 9. Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads
    10. 10. Cloud Data Center Woodgrove Bank Blue 10.1.0.0/16 Contoso Bank Red 10.1.0.0/16
    11. 11. u Win 8 Host Blue 10.1.1.21 Red1 10.1.1.11 To Internet (10.1.1.1) Hyper-V Switch Red2 10.1.1.12 Green 10.1.1.31 Isolated 4, 7 Isolated 4, 7 Community 4, 9 Community 4, 9
    12. 12. Physical network Physical server Woodgrove VM Contoso VM Woodgrove network Contoso network Hyper-V Machine Virtualization • Run multiple virtual servers on a physical server • Each VM has illusion it is running as a physical server Hyper-V Network Virtualization • Run multiple virtual networks on a physical network • Each virtual network has illusion it is running as a physical fabric
    13. 13. Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads
    14. 14. Hyper-V Extensible Switch PVLANS ARP/ND Poisoning Protection DHCP Guard Protection Virtual Port ACLs Trunk Mode to Virtual Machines Monitoring & Port Mirroring Windows PowerShell & WMI Management The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools
    15. 15. Physical NIC Root Partition Extensible Switch Extension Protocol Extension Miniport Host NICVM NIC VM1 VM NIC VM2  Capture extensions can inspect traffic and generate new traffic for report purposes  Capture extensions do not modify existing Extensible Switch traffic  Example: sflow by inMon  Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs  Windows Antivirus and Firewall software uses WFP for traffic filtering  Example: Virtual Firewall by 5NINE Software  Forwarding extensions direct traffic, defining the destination(s) of each packet  Forwarding extensions can capture and filter traffic  Examples: – Cisco Nexus 1000V and UCS – NEC ProgrammableFlow's vPFS OpenFlow Capture Extensions (NDIS) Windows Filter Platform (WFP) Forwarding ExtensionsForwarding Extensions (NDIS) Filtering Engine BFE Service Firewall Callout
    16. 16. • Open, Extensible Virtual Switch • Nexus 1000 Support • Openflow Support • Network Introspection • Much more… • Advanced Networking • ACLs • PVLAN • …much more… • Windows NIC Teaming • Network QoS • Per VNIC bandwidth reservation & limits • Network Metering • DVMQ • SR-IOV Network Support • Reduce Latency & CPU Utilization • Supports Live Migration
    17. 17. • Reduces latency of network path • Reduces CPU utilization for processing network traffic • Increases throughput • Supports Live Migration Network I/O path with SR-IOVNetwork I/O path without SR-IOV Physical NIC Root Partition Hyper-V Switch Routing VLAN Filtering Data Copy Virtual Machine Virtual NIC SR-IOV Physical NIC Virtual Function
    18. 18. Virtual Machine Network Stack Software NIC  Enable IOV (VM NIC Property)  Virtual Function is “Assigned”  Team automatically created  Traffic flows through VF Turn On IOV  Break Team  Reassign Virtual Function  Assuming resources are available  Migrate as normal Live Migration Post Migration  Remove VF from VM VM has connectivity even if  Switch not in IOV mode  IOV physical NIC not present  Different NIC vendor  Different NIC firmware SR-IOV Enabling & Live Migration SR-IOV Physical NICPhysical NIC Software Switch (IOV Mode) “TEAM”Software NIC Virtual Function SR-IOV Physical NIC Software Switch (IOV Mode) “TEAM” Virtual Function  Software path is not used
    19. 19. IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter. SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources. Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.
    20. 20. Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source
    21. 21. Add-VMNetworkAdapterAcl
    22. 22. Set-VMNetworkAdapterVlan
    23. 23. Set-VMNetworkAdapterVlan
    24. 24. Networking Performance Dynamic VMq IPsec Task Offload SR-IOV Support The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines Dynamically span multiple CPUs when processing virtual machine network traffic Offload IPsec processing from within virtual machine, to physical network adaptor, enhancing performance Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine
    25. 25. Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 NIC Teaming Yes, via partners Yes, via partners Windows NIC Teaming in box. VLAN Tagging Yes Yes Yes MAC Spoofing Protection No Yes, with R2 SP1 Yes ARP Spoofing Protection No Yes, with R2 SP1 Yes SR-IOV Networking No No Yes Network QoS No No Yes Network Metering No No Yes Network Monitor Modes No No Yes IPsec Task Offload No No Yes VM Trunk Mode No No Yes
    26. 26. Hyper-V is fully integrated in the Windows network stack Use the synthetic network adapter Use VLAN tagging & firewall rules for security Windows Server 2012 includes inbox NIC Teaming for load balancing and failover VMQ provides great performance for most workloads SR-IOV for low latency, high throughput workloads
    27. 27. ©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    ×