Microsoft

Virtual
Academy

Hyper-V Networking
Symon Perriman Jeff Woolsey
Technical Evangelist Principal Program Manager

Introduction to Hyper-V Jump Start

First Half

Second Half

(01) Introduction to Microsoft

Virtualization

(05) Hyper-V Management

(02) Hyper-V Infrastructure

(06) Hyper-V High Availability

and Live Migration

(03) Hyper-V Networking

(07) Integration with System Center

2012 Virtual Machine Manager

(04) Hyper-V Storage

(08) Integration with Other

System Center 2012 Components

** MEAL BREAK **
Microsoft
Virtual
Academy

Agenda

Virtual networks
Software Defined Networking
Hyper-V Extensible Switch
Network teaming
Guest Network Load Balancing

Microsoft
Virtual
Academy

Virtual Networks

Virtual Switch Architecture

Implemented as an NDIS 6.0 MUX driver
Binds to network adapters as a protocol driver
Can enumerate a single-host interface

Basic layer-2 switch functionality

Dynamically learns port to MAC mappings
Implements VLANs
Does not implement spanning trees
Does not implement layer 3

Configuring Virtual Networks

Configured from Virtual Switch Manager
External networks
VMs can communicate with other computers on the network
Only 1 per physical NIC

Internal networks
VMs can communicate with only other VMs on the same
host, and with the host computer

Private networks
VMs can communicate only with other VMs on the
same host

Virtual Network Adapters

Synthetic Adapters
Not based on a physical device
Doesnt support PXE boot
Significantly higher performance vs.
emulated
Drivers provided for supported
operating systems
Windows Server 2012 extensible switch
Windows Server 2003
SP2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Linux (SLES 10, 11)
RHEL 5.x/6.x
CentOS 5.x/6.x

Windows XP
Windows Vista
Windows 7
Windows 8
OpenSUSE
Etc.

Legacy (Emulated)
Adapters
Emulates a physical DEC21140 chipset
Supports PXE boot
Drivers exist for most operating systems

Network Considerations
Customers

How do I ensure

Fully Leverage

network multitenancy?
IP Address
Management is a
pain.
What if VMs are
competing for
bandwidth?

Network Fabric
How do I integrate
with existing fabric?
Network Metering?
Can I dedicate a NIC
to a workload?

Hybrid Clouds
Windows Server 2012 is optimized for Hybrid Clouds
to host multi-tenant workloads
Tenant 1: Multiple VM Workloads

Tenant 2: Multiple VM Workloads

Data Center

Reliability
Even when hardware fails
customers want continuous availability
Tenant 1: Multiple VM Workloads

Tenant 2: Multiple VM Workloads

Data Center

TEAMING

Predictability
Even when multiple VMs are competing for bandwidth

customers want predictability

Tenant 1: Multiple VM Workloads

Tenant 2: Multiple VM Workloads

Data Center

15

$$

25

$$$$

Security
In a multi-tenant environment
customers want security and isolation
Tenant 1: Multiple VM Workloads

Tenant 2: Multiple VM Workloads

Data Center

Multi-Tenant Network
Requirements
Tenant wants to easily move VMs to/from

the cloud
Hoster wants to place VMs anywhere in
the data center
Both want: Easy Onboarding, Flexibility &
Woodgrove
Bank
Contoso Bank
Isolation
Blue 10.1.0.0/16

Cloud Data Center

Red 10.1.0.0/16

One Solution: PVLAN

Green

Blue

10.1.1.31

Isolated
4, 7

Red1

10.1.1.21

Isolated
4, 7

Red2

10.1.1.11

Hyper-V
u
Switch

Community
4, 9

10.1.1.12

Community
4, 9

Win 8 Host

Isolation Scenario
Hoster wants to isolate all VMs from each other and allow internet connectivity
#1 Customer Ask from hosters

Community Scenario
Hoster wants tenant VMs to interact with each other but not with other tenant VMs
Requires a VLAN id for each community (limited scalability, only 4095 VLAN IDs)

To Internet
(10.1.1.1)

Software Defined
Networking

Software Defined Networking

An
SDN solution can accomplish several
(SDN)
things

Create virtual networks that run on top of the physical network

Control traffic flow within the datacenter
Create integrated policies that span the physical and virtual networks
On a per-VM basis, configure security policies that limit the types of traffic (and
destinations)

SDN: Network Virtualization

Woodgrove VM

Contoso VM

Physical
server

Hyper-V Machine Virtualization

Run multiple virtual servers on a physical

server
Each VM has illusion it is running as a
physical server

Woodgrove network

Contoso network

Physic
al
networ
k

Hyper-V Network Virtualization

Run multiple virtual networks on a physical
network
Each virtual network has illusion it is running as a
physical fabric

Software Defined Networking

How
network virtualization works
(SDN)
Two IP addresses for each virtual machine
General Routing Encapsulation (GRE)
IP address rewrite
Policy management server

Problems solved
Removes VLAN constraints
Eliminates hierarchical IP address assignment for virtual machines
On a per-VM basis, configure security policies that limit the types of traffic (and
destinations)

Generic Routing Encapsulation

How
GRE works
(GRE)
Defined by RFC 2784 and 2890
One customer address per virtual machine
One provider address per host
Tenant network ID
MAC header

Benefits
Lowers burden on switches
Allows traffic analysis, metering and control
Enable Live Migration across subnets

Extensibility
Customers want specialized functionality with lots of
choice
for firewalls, monitoring and physical fabric
Tenant 1: Multiple VM Workloads
integration

Tenant 2: Multiple VM Workloads

Data Center

Hyper-V Extensible
Switch

Hyper-V Extensible Switch

ARP/ND
Poisoning
Protection

PVLANS

DHCP Guard
Protection

Windows PowerShell & WMI

Management
Virtual Port
ACLs

Trunk Mode
to Virtual
Machines

Monitoring &
Port Mirroring

The Hyper-V
Extensible
Switch allows a
deeper
integration with
customers
existing
network
infrastructure,
monitoring, and
security tools

Hyper-V Extensible Switch

VM1

Root Partition

VM2

VM NIC

Host NIC

VM NIC

BFE Service

Firewall

Callout
Extensible Switch

Filtering Engine

Extension Protocol
Capture Extensions
(NDIS)
Windows Filter
Platform (WFP)
Forwarding
Forwarding
Extensions
Extensions
(NDIS)
Extension Miniport

Physical NIC

Forwarding
extensions
direct
traffic,
defining
the
Windows
Platform
(WFP)
Extensions
can
CaptureFilter
extensions
can
inspect
traffic
destination(s)
each packet
inspect, drop,ofmodify,
and insert packets using

and generate new traffic for report

purposes
Forwarding extensions can capture and filter traffic

Windows Antivirus and Firewall software uses

WFP APIs

Examples:
Capture
extensions
WFP
for traffic
filtering do not modify
existing
Extensible
traffic
Cisco Nexus
1000VSwitch
and UCS
Example:
Virtual Firewall by
5NINE
NEC ProgrammableFlow's
vPFS
OpenFlow
Software
Example: sflow by inMon

Feature Rich Networking in the Box

Open, Extensible Virtual

Switch
Nexus 1000 Support
Openflow Support
Network Introspection
Much more

Advanced Networking
ACLs
PVLAN
much more
Windows NIC Teaming

Network QoS
Per VNIC bandwidth reservation

& limits

Network Metering
DVMQ
SR-IOV Network Support
Reduce Latency & CPU Utilization
Supports Live Migration

Single-Root I/O Virtualization (SR-IOV)

Reduces latency of

network path
Reduces CPU utilization for
processing network traffic
Increases throughput
Direct device assignment
to virtual machines without
compromising flexibility
Supports Live Migration

Root
Partition

Hyper-V Switch
Routing
VLAN Filtering
Data Copy

Virtual
Machine
Virtual NIC
VMBUS

Virtual Function
Physical
SR-IOV Physical NIC
NIC

Network
NetworkI/O
I/O path
path with
without
SR-IOV
SRIOV

SR-IOV Enabling & Live Migration

Turn On IOV

Live Migration

Enable IOV (VM NIC Property)

Virtual Function is Assigned
Team automatically created
Traffic flows through VF

Break Team
Remove VF from VM
Migrate as normal

Post Migration

Reassign Virtual Function

Assuming resources are
available

Software path is not used

Virtual
Machine
Network
Stack

Software NIC
TEAM

TEAM

VM has connectivity even

Software
Switch
(IOV Mode)

if
Virtual Function

Physical
SR-IOV Physical NIC
NIC

Switch not in IOV mode

IOV physical NIC not
present
Different NIC vendor
Different NIC firmware

Software
Switch
(IOV Mode)

Virtual Function

SR-IOV Physical NIC

DVMQ vs. SR-IOV Considerations

DVMQ Pros:
Improves VM Performance
Provides Receive Side Scaling benefits

by spreading network load across

multiple logical processors

SR-IOV Pros:
Great performance
Great for low latency workloads

Can use the Hyper-V Extensible Switch

DVMQ Cons:
If you need greater than 10 Gb/E for a

workload, SR-IOV is likely the better

choice

SR-IOV Cons:
Bypasses the virtual switch

Cloud Admins Want Scale, Customers Perf

DVMQ, IPsec Task Offload, SR-IOV

Dynamic Virtual Machine

Queue (VMQ) dVMQ uses
hardware packet filtering to
deliver packet data from an
external virtual machine network
directly to virtual machines,
which reduces the overhead of
routing packets and copying
them from the management
operating system to the virtual
machine.

IPsec Task Offload: Microsoft expects

deployment of Internet Protocol security
(IPsec) to increase significantly in the
coming years. The large demands
placed on the CPU by the IPsec integrity
and encryption algorithms can reduce
the performance of your network
connections. IPsec Task Offload is a
technology built into the Windows
operating system that moves this
workload from the main computer's
CPU to a dedicated processor on the
network adapter.
SR-IOV is a specification that allows a
PCIe device to appear to be multiple
separate physical PCIe devices. The SRIOV specification was created and is
maintained by the PCI SIG, with the
idea that a standard specification will
help promote interoperability. SR-IOV
works by introducing the idea of
physical functions (PFs) and virtual
functions (VFs). Physical functions (PFs)
are full-featured PCIe functions; virtual
functions (VFs) are lightweight
functions that lack configuration
resources.

Advanced Network Security

DHCP Guard, Router Guard, Monitor Port

DHCP Guard is a security feature that

drops DHCP server messages from

unauthorized virtual machines pretending
to be DHCP servers.
Router Guard is a security feature that

drops Router Advertisement and

Redirection messages from unauthorized
virtual machines pretending to be
routers.
Monitor Mode duplicates all egress and

ingress traffic to/from one or more switch

ports (being monitored) to another switch
port (performing monitoring)

Manage to a Service Level Agreement

Network Bandwidth & QoS

Bandwidth

Management
allows you to easily
reserve minimum or
set maximums to
provide QoS
controls to manage
to a service level
agreement

Port Mirroring
Provided by the Hyper-V Extensible switch
Administrator can run security and diagnostics
applications in virtual machines that can monitor
virtual machine network traffic
Port mirroring also supports live migration of
extension configurations
Set-VMNetworkAdapter VMName MyVM PortMirroring Source

Network Teaming

Windows Server 2012 Network

Failover
teaming
Teaming
Typically two interfaces
Typically connected to different switches
Provides redundancy for NIC card, cable, or switch failure

Aggregation/load balancing teams

Two or more interfaces
Divides network traffic between active interfaces by MAC/IP address or protocol
Redundancy for NIC card or cable failure

Microsoft Supported

Port ACL
A rule that you can apply to a Hyper-V switch port
Can allow or deny packets
Inbound or outbound control
ACLs have three elements with the following
structure
Local or Remote Address
Direction
Action
Add-VMNetworkAdapterAcl

PVLANS
PVLAN addresses some of the scalability issues of
VLANs
Set as a switch port property
PVLAN has two VLAN IDs: a primary VLAN ID and
a secondary VLAN ID
PVLAN may be in one of three modes
Isolated
Promiscuous
Set-VMNetworkAdapterVlan
Community

Trunk Mode
Hyper-V Virtual Switch provides support for VLAN
Trunk mode
Provides network services on a virtual machine
with the ability to see traffic from multiple VLANS
The switch port receives traffic from all VLANs are
in an allowed VLAN list
Set-VMNetworkAdapterVlan

Networking Performance
Dynamic
VMq

IPsec Task
Offload

SR-IOV
Support

Dynamically span multiple CPUs when

processing
virtual machine network traffic
Offload IPsec processing from within virtual
machine,
to physical network adaptor, enhancing
performance
Map virtual function of an SR-IOV-capable
physical network adaptor, directly to a virtual
machine

The Hyper-V
Extensible
Switch takes
advantage of
hardware
innovation to
drive the
highest levels of
networking
performance
within virtual
machines

Network Load
Balancing

VMs Using Network Load

To
configure VMs in a Network Load
Balancing

Balancing (NLB) cluster, enable MAC address

spoofing
This ensures the virtual switch will not learn
MAC addresses, a requirement for NLB to
function correctly
VMQ does not work with NLB
NLB changes the virtual MAC addresses which prevents Hyper-V
from dispatching the packets directly to the guests queue

Windows Server 2012 Networking: Its All There

Feature rich, extensible, in the box, no compromises

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Yes, via partners

Yes, via partners

Windows NIC Teaming in box.

VLAN Tagging

Yes

Yes

Yes

MAC Spoofing Protection

No

Yes, with R2 SP1

Yes

ARP Spoofing Protection

No

Yes, with R2 SP1

Yes

SR-IOV Networking

No

No

Yes

Network QoS

No

No

Yes

Network Metering

No

No

Yes

Network Monitor Modes

No

No

Yes

IPsec Task Offload

No

No

Yes

VM Trunk Mode

No

No

Yes

NIC Teaming

Takeaways
Hyper-V is fully integrated in the Windows network
stack
Use the synthetic network adapter
Use VLAN tagging & firewall rules for security
Windows Server 2012 includes inbox NIC Teaming for
load balancing and failover
VMQ provides great performance for most workloads
SR-IOV for low latency, high throughput workloads

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks
and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of
the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.