hyper-v networking

MicrosoftVirtual Academy

Hyper-V Networking

Symon Perriman Jeff WoolseyTechnical Evangelist Principal Program Manager


First Half Second Half

(01) Introduction to Microsoft Virtualization

(05) Hyper-V Management

(02) Hyper-V Infrastructure (06) Hyper-V High Availability

and Live Migration

(03) Hyper-V Networking (07) Integration with System Center

2012 Virtual Machine Manager

(04) Hyper-V Storage(08) Integration with Other

System Center 2012 Components

** MEAL BREAK **

Introduction to Hyper-V Jump Start


• Virtual networks• Software Defined Networking• Hyper-V Extensible Switch• Network teaming• Guest Network Load Balancing

Agenda

Virtual Networks

Virtual Switch ArchitectureImplemented as an NDIS 6.0 MUX driverBinds to network adapters as a protocol driverCan enumerate a single-host interface

Basic layer-2 switch functionalityDynamically “learns” port to MAC mappingsImplements VLANsDoes not implement spanning treesDoes not implement layer 3

Configuring Virtual NetworksConfigured from Virtual Switch ManagerExternal networksVMs can communicate with other computers on the networkOnly 1 per physical NIC

Internal networks VMs can communicate with only other VMs on the same host, and with the host computer

Private networks VMs can communicate only with other VMs on the same host

Virtual Network Adapters Synthetic AdaptersNot based on a physical deviceDoesn’t support PXE bootSignificantly higher performance vs. emulatedDrivers provided for supported operating systemsWindows Server 2012 extensible switch

Legacy (Emulated) AdaptersEmulates a physical DEC21140 chipsetSupports PXE bootDrivers exist for most operating systems

Windows Server 2003 SP2Windows Server 2008Windows Server 2008 R2Windows Server 2012Linux (SLES 10, 11)RHEL 5.x/6.xCentOS 5.x/6.x

Windows XPWindows VistaWindows 7Windows 8OpenSUSEEtc.

Network ConsiderationsCustomers

• How do I ensure network multi-tenancy?

• IP Address Management is a pain.

• What if VMs are competing for bandwidth?

• Fully Leverage Network Fabric

• How do I integrate with existing fabric?

• Network Metering?• Can I dedicate a NIC

to a workload?

Hybrid Clouds

Windows Server 2012 is optimized for Hybrid Clouds to host multi-tenant workloads

Tenant 2: Multiple VM Workloads

Data Center


Reliability

Even when hardware fails …… customers want continuous availability


Data Center

Tenant 1: Multiple VM WorkloadsTEAMING

Predictability

Even when multiple VMs are competing for bandwidth …

… customers want predictability


Data Center


15

25

$$

$$$$

Security

In a multi-tenant environment …… customers want security and isolation


Data Center


Multi-Tenant Network Requirements• Tenant wants to easily move VMs to/from

the cloud• Hoster wants to place VMs anywhere in

the data center• Both want: Easy Onboarding, Flexibility &

IsolationCloud Data Center

Woodgrove BankBlue 10.1.0.0/16

Contoso BankRed 10.1.0.0/16

One Solution: PVLAN

• Isolation Scenario• Hoster wants to isolate all VMs from each other and allow internet connectivity

• #1 Customer Ask from hosters

• Community Scenario• Hoster wants tenant VMs to interact with each other but not with other tenant VMs

• Requires a VLAN id for each “community” (limited scalability, only 4095 VLAN IDs)

u

Win 8 Host

Blue10.1.1.21

Red110.1.1.11

To Internet (10.1.1.1)

Hyper-V Switch

Red210.1.1.12

Green10.1.1.31

Isolated4, 7

Isolated4, 7

Community4, 9

Community4, 9

Software Defined Networking

Software Defined Networking (SDN)An SDN solution can accomplish several thingsCreate virtual networks that run on top of the physical networkControl traffic flow within the datacenterCreate integrated policies that span the physical and virtual networksOn a per-VM basis, configure security policies that limit the types of traffic (and destinations)

SDN: Network Virtualization

Physical network

Physicalserver

Woodgrove VM Contoso VM Woodgrove network Contoso network

Hyper-V Machine Virtualization• Run multiple virtual servers on a physical

server• Each VM has illusion it is running as a

physical server

Hyper-V Network Virtualization• Run multiple virtual networks on a physical network• Each virtual network has illusion it is running as a

physical fabric

Software Defined Networking (SDN)How network virtualization worksTwo IP addresses for each virtual machineGeneral Routing Encapsulation (GRE)IP address rewritePolicy management server

Problems solvedRemoves VLAN constraintsEliminates hierarchical IP address assignment for virtual machinesOn a per-VM basis, configure security policies that limit the types of traffic (and destinations)

Generic Routing Encapsulation (GRE)How GRE worksDefined by RFC 2784 and 2890One customer address per virtual machineOne provider address per hostTenant network IDMAC header

BenefitsLowers burden on switchesAllows traffic analysis, metering and controlEnable Live Migration across subnets

Extensibility

Customers want specialized functionality with lots of choice …

… for firewalls, monitoring and physical fabric integration


Data Center


Hyper-V Extensible Switch


PVLANS

ARP/ND Poisoning Protection

DHCP Guard Protection

Virtual Port ACLs

Trunk Modeto Virtual Machines

Monitoring & Port Mirroring

Windows PowerShell & WMI Management

The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools


Physical NIC

Root Partition

Extensible Switch

Extension Protocol

Extension Miniport

Host NICVM NIC

VM1

VM NIC

VM2 Capture extensions can inspect traffic and generate new traffic for report purposes

Capture extensions do not modify existing Extensible Switch traffic

Example: sflow by inMon

Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs

Windows Antivirus and Firewall software uses WFP for traffic filtering

Example: Virtual Firewall by 5NINE Software

Forwarding extensions direct traffic, defining the destination(s) of each packet

Forwarding extensions can capture and filter traffic

Examples:– Cisco Nexus 1000V and UCS– NEC ProgrammableFlow's vPFS OpenFlowCapture Extensions

(NDIS)

Windows Filter Platform (WFP)

Forwarding ExtensionsForwarding

Extensions (NDIS)

Filtering Engine

BFE Service Firewall

Callout

Feature Rich Networking in the Box• Open, Extensible Virtual

Switch• Nexus 1000 Support• Openflow Support• Network Introspection• Much more…

• Advanced Networking• ACLs• PVLAN• …much more…

• Windows NIC Teaming

• Network QoS• Per VNIC bandwidth reservation

& limits

• Network Metering

• DVMQ

• SR-IOV Network Support• Reduce Latency & CPU Utilization

• Supports Live Migration

Single-Root I/O Virtualization (SR-IOV)

• Reduces latency of network path

• Reduces CPU utilization for processing network traffic

• Increases throughput• Direct device assignment

to virtual machines without compromising flexibility

• Supports Live Migration

Network I/O path with SR-IOVNetwork I/O path without SR-IOV

Physical NIC

Root Partition

Hyper-V Switch

RoutingVLAN Filtering

Data Copy

Virtual Machine

Virtual NIC

SR-IOV Physical NIC

Virtual Function

VMBUS

Virtual MachineNetwork Stack

Software NIC

Enable IOV (VM NIC Property) Virtual Function is “Assigned” Team automatically created Traffic flows through VF

Turn On IOV Break Team Reassign Virtual Function

Assuming resources are available Migrate as normal

Live Migration Post Migration

Remove VF from VM

VM has connectivity even if

Switch not in IOV mode IOV physical NIC not

present Different NIC vendor Different NIC firmware

SR-IOV Enabling & Live Migration

SR-IOV Physical NICPhysical

NIC

Software Switch

(IOV Mode)

“TEAM”Software NIC

Virtual Function

SR-IOV Physical NIC

Software Switch

(IOV Mode)

“TEAM”

Virtual Function

Software path is not used

DVMQ vs. SR-IOV Considerations• DVMQ Pros:• Improves VM Performance

• Provides Receive Side Scaling benefits by spreading network load across multiple logical processors

• Can use the Hyper-V Extensible Switch

• DVMQ Cons:• If you need greater than 10 Gb/E for a

workload, SR-IOV is likely the better choice

• SR-IOV Pros:• Great performance• Great for low latency

workloads

• SR-IOV Cons:• Bypasses the virtual switch

Cloud Admins Want Scale, Customers PerfDVMQ, IPsec Task Offload, SR-IOV

IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter.

SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources.

Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.

Advanced Network SecurityDHCP Guard, Router Guard, Monitor Port

• DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers.

• Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers.

• Monitor Mode duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)

Manage to a Service Level AgreementNetwork Bandwidth & QoS

• Bandwidth Management allows you to easily reserve minimum or set maximums to provide QoS controls to manage to a service level agreement

Port MirroringProvided by the Hyper-V Extensible switch Administrator can run security and diagnostics applications in virtual machines that can monitor virtual machine network trafficPort mirroring also supports live migration of extension configurations

Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source

Network Teaming

Windows Server 2012 Network TeamingFailover teamingTypically two interfacesTypically connected to different switchesProvides redundancy for NIC card, cable, or switch failure

Aggregation/load balancing teamsTwo or more interfacesDivides network traffic between active interfaces by MAC/IP address or protocol Redundancy for NIC card or cable failure

Microsoft Supported

Port ACLA rule that you can apply to a Hyper-V switch port Can allow or deny packetsInbound or outbound controlACLs have three elements with the following structureLocal or Remote AddressDirectionAction

Add-VMNetworkAdapterAcl

PVLANSPVLAN addresses some of the scalability issues of VLANs Set as a switch port property PVLAN has two VLAN IDs: a primary VLAN ID and a secondary VLAN IDPVLAN may be in one of three modesIsolatedPromiscuousCommunity

Set-VMNetworkAdapterVlan

Trunk ModeHyper-V Virtual Switch provides support for VLAN Trunk modeProvides network services on a virtual machine with the ability to see traffic from multiple VLANSThe switch port receives traffic from all VLANs are in an allowed VLAN list

Set-VMNetworkAdapterVlan

Networking Performance

DynamicVMq

IPsec Task Offload

SR-IOV Support

The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines

Dynamically span multiple CPUs when processingvirtual machine network trafficOffload IPsec processing from within virtual machine,to physical network adaptor, enhancing performance

Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine

Network Load Balancing

VMs Using Network Load BalancingTo configure VMs in a Network Load Balancing (NLB) cluster, enable MAC address spoofingThis ensures the virtual switch will not learn MAC addresses, a requirement for NLB to function correctlyVMQ does not work with NLBNLB changes the virtual MAC addresses which prevents Hyper-V from dispatching the packets directly to the guest’s queue

Windows Server 2012 Networking: It’s All ThereFeature rich, extensible, in the box, no compromises

Windows Server 2008 Windows Server 2008 R2 Windows Server 2012

NIC Teaming Yes, via partners Yes, via partners Windows NIC Teaming in box.

VLAN Tagging Yes Yes Yes

MAC Spoofing Protection No Yes, with R2 SP1 Yes

ARP Spoofing Protection No Yes, with R2 SP1 Yes

SR-IOV Networking No No Yes

Network QoS No No Yes

Network Metering No No Yes

Network Monitor Modes No No Yes

IPsec Task Offload No No Yes

VM Trunk Mode No No Yes

TakeawaysHyper-V is fully integrated in the Windows network stackUse the synthetic network adapterUse VLAN tagging & firewall rules for securityWindows Server 2012 includes inbox NIC Teaming for load balancing and failoverVMQ provides great performance for most workloadsSR-IOV for low latency, high throughput workloads

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

hyper-v networking

Technology

iov mode iov physical

network fabric

virtual firewall

multiple virtual servers

multiple virtual networks

network adapter

network connections

multiple vm workloads