Hyper-V Networking

Microsoft IT Camps - Virtualization

Virtual Switch Architecture

Implemented as an NDIS 6.0 MUX Driver
Binds To Network Adapters as a Protocol Driver Can Enumerate A Single Host Interface

Basic Layer-2 Switch Functionality

Dynamically Learns Port to MAC Mappings Implements VLANs Does Not Implement Spanning Tree Does Not Implement SPAN/Monitor Mode Does Not Implement Layer 3

Configuring Virtual Networks

Configured from Virtual Network Manager External Networks
VMs can communicate with other computers on the network Only 1 per physical NIC

Internal Networks
VMs can communicate with only other VMs on the same host, and with the host computer

Private Networks
VMs can communicate only with other VMs on the same host

Virtual Network Adapters

Synthetic Adapters
No Physical Device Communicates via VMBus to vmswitch.sys Does Not Support PXE Boot Significantly higher performance vs. Emulated Drivers Exist Only For Supported OSs
Windows Server 2003 SP2 Windows Server 2008 Windows Server 2008 R2 Windows XP Windows Vista Windows 7 Linux (SLES 10, 11). RHEL 5.x

Legacy (Emulated) Adapters Emulates a physical DEC21140 chipset Communicates via Interrupts to vmwp.exe then to vmswitch.sys Supports PXE Boot Drivers Exist For Most OSs

Network Teaming
Failover Teaming
Typically Two Interfaces Typically Connected To Different Switches Provides Redundancy For NIC Card, Cable or Switch Failure

Aggregation/Load Balancing Teams

Two or More Interfaces Divides Network Traffic Between Active Interfaces By MAC/IP Address or Protocol Redundancy for NIC Card or Cable Failure

Support provided by hardware vendors

Virtual Machine Queue (VMQ)

Overview
NIC can DMA packets directly into VM memory
VM Device buffer gets assigned to one of the queues Avoids packet copies in the VSP Avoids route lookup in the virtual switch (VMQ Queue ID)

Allows the NIC to essentially appear as multiple NICs on the physical host (queues)

Benefits
Host no longer has device DMA data in its own buffer resulting in a shorter path length for I/O (performance gain)

Recommended to use VMQ instead of VM Chimney (TCP Offload Support) which is complex with limited benefits

MAC Addresses
Pool of MAC addresses automatically assigned VMs automatically assigned dynamic MAC addresses Use static MAC addresses for DHCP Use MAC address spoofing for NLB

Configuring (MAC) Address Pools

Hyper-V
Microsoft reserved first 3 octets
00-15-5d-**-**-**

SCVMM
Uses broader range than Hyper-V First three octets standard, but changeable
00-1D-D8-**-**-**

Each host has a random pool

00-15-5D-**-**-00 Sysprepping after installing Hyper-V will cause both hosts to have the same pool

Default range of 256 addresses

00-15-5D-**-**-00 00-15-5D-**-**-FF

Default range of 3,998,719 addresses

00-1D-D8-B7-1C-00 00-1D-D8-F4-1F-FF

Will avoid conflicts on the same host

Use SCVMM to avoid conflicts across hosts

If changing the first three octets do not used reserved ranges from Microsoft, VMware or Citrix

Virtual LAN (VLAN)

IEEE 802.1Q - Layer 2 Extension Of Ethernet To Allow Multiple Bridged Networks to Share A Common Physical Link Egress (outbound) Network Frames Are tagged With a VLAN Identifier (tag) Ingress (inbound) Network Frames Are Stripped of there VLAN Identifier (tag)

VLAN Tagging Methods

Virtual NIC Tagging
VLAN Specified Per Virtual NIC Configured In Hyper-V/SCVMM UI/APIs

Static Switch Port Tags

VLAN Specified Per Physical Switch Port Configured On Physical Network Switch

MAC Address Tagging

MAC Address to VLAN Mapping Created Configured On Physical Network Switch

Physical NIC Tagging

VLAN Specified On The Physical NIC

VLAN Tags
VLANs are used to isolate network traffic for nodes that are connected to the same physical network Use VLANs to
Isolate Hyper-V host management networks Isolate virtual machines connected to external networks Isolate virtual machines on a single host computer

Configuring VLAN Tags

Configure VLAN identifiers
On internal and external virtual networks On the network adapters attached to virtual machines

Virtual Network

VM Properties

VLAN Security
Isolate host and VM networks Use a dedicated network adapter for host management
Physical network security

Use VLAN tagging for VMs

Connects the VMs to a different network from the host Can avoid host DOS attacks from network flooding

Configuring Firewall Rules

Automatically configured during Hyper-V role installation
Check Windows Firewall with Advanced Security On Server Core use SConfig tool

Automatically configured when adding a host via VMM Failover Clustering with a File Server or VMM Library requires Remote Volume Management to be unblocked

VMs Using Network Load Balancing

To configure VMs in a Network Load Balancing cluster, enable MAC address spoofing This ensures the virtual switch will not learn MAC addresses, a requirement for NLB to function correctly VMQ does not work with NLB
NLB changes the Virtual MAC Addresses which prevents Hyper-V from dispatching the packets directly to the guests queue

Takeaways
Hyper-V fully integrated in the Windows Network stack Choose a synthetic or legacy (emulated) network adapter based on its intended use Use VLAN tagging & firewall rules for security Consider using Network Teaming & VMQ for higher-availability and faster performance