Hyper-V Networking Symon Perriman Jeff Woolsey

Slides:



Advertisements
Similar presentations
Fluffy’s Safe Right? If you want to limit a user’s functionality, don’t make them an administrator.
Advertisements

Microsoft Virtual Academy. Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V.
Lesson 9: Creating and Configuring Virtual Networks
Windows Server Scalability And Virtualized I/O Fabric For Blade Server
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Didier Van Hoye Technical FGIA MVP – Virtual Machine Microsoft Extended Experts Team
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Flat or shrinking IT budgets even as business expectations increase. Efficient datacenter operations across entire customer base. Enterprise- class.
What's New in Windows Server 2012 Hyper-V, Part 2 Jeff Woolsey Windows Server & Cloud Microsoft Corporation VIR309.
Enable Multi Tenant Clouds Network Virtualization. Dynamic VM Placement. Secure Isolation. … High Scale & Low Cost Datacenters Leverage Hardware. High.
Private Cloud: Application Transformation Business Priorities Presentation.
Khaja Ahmed Architect Windows Networking Microsoft Corporation.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
What’s new in Hyper-V in Windows Server 2012 (Part 2) Stu Fox Technical Specialist, Microsoft NZ VIR315.
Get Hands-on with the New Hyper-V Extensible Switch in Windows Server 2012 Bob Combs Hyper-V Networking Microsoft Corporation VIR307.
Session objectives Discuss whether or not virtualization makes sense for Exchange 2013 Describe supportability of virtualization features Explain sizing.
Cloud Scale Performance & Diagnosability Comprehensive SDN Core Infrastructure Enhancements vRSS Remote Live Monitoring NIC Teaming Hyper-V Network.
Windows Server 2012 Hyper-V Networking
Microsoft Virtual Academy. Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V.
| Basel Fabric Management with Virtual Machine Manager Philipp Witschi – Cloud Architect & Microsoft vTSP Thomas Maurer – Cloud Architect & Microsoft MVP.
Level 300 Windows Server 2012 Networking Marin Franković, Visoko učilište Algebra.
Won Huh Product Marketing Manager
Azure Stack and Hybrid Deployment
Lecture 15: IO Virtualization
12/30/2017 8:55 AM Особенности и улучшения работы сети в гипервизоре Windows Server 2008 R2 Панов Никита Технический инженер Microsoft MCP Leader
1/26/2018 Hosting Windows Desktops and Applications Using Remote Desktop Services and Azure Windows Server Azure Resource Manager © 2014 Microsoft.
Microsoft Virtual Academy
Lab A: Planning an Installation
Server Virtualization
5/5/ :05 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
5/16/ :21 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes
Enterprise Security in Practice
Instructor Materials Chapter 5: Ethernet
Microsoft Ignite /31/ :08 AM
Infrastructure Provisioning Kenon Owens Sr
An Overview of Hyper-V Networking
Bridging the Gap From On-Premises to the Cloud
Oracle Solaris Zones Study Purpose Only
9/15/2018 8:14 PM SAC-442T Building Secure, Scalable Multi-Tenant Clouds using Hyper-V Network Virtualization Murari Sridharan Yu-Shun Wang Principal.
Windows Server 8: Cloud Optimized
Cloud Database Based on SQL Server 2012 Technologies
Microsoft Azure P wer Lunch
Windows Azure 講師: 李智樺, Ruddy Lee
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Обзор Windows Azure Connect
Microsoft Virtual Academy
NTHU CS5421 Cloud Computing
12/7/2018 6:48 PM SAC-565T Windows Networking with PowerShell: A Foundation for Datacenter Management Ross Ortega & Christopher Palmer Program Managers.
TechReady 16 1/12/2019 MDC-B351 How to Design and Configure Networking in Microsoft System Center Part 2 of 2 Greg Cusanza Senior Program Manager, Microsoft.
What's New in System Center 2012 SP1 - Virtual Machine Manager
Licensing Windows for Virtrual Desktops
What’s New in VMM for SC2012 SP1
Building continuously available systems with Hyper-V
Windows Server 2008 Iain McDonald Director of Program Management
Enabling the hybrid cloud with remote access appliances
Microsoft Virtual Academy
Re-think Networking Windows Server 2012 R2
Service Template Creation from the Ground Up
Service Template Creation from the Ground Up
Day 2, Session 2 Connecting System Center to the Public Cloud
Monitor VMware with SC2012 SP1 Operation Manager & Veeam Microsoft Tools for VMware Integration & Migration Symon Perriman Michael Stafford Senior.
MICROSOFT NETWORK VIRTUALIZATION
Microsoft Virtual Academy
Making Windows Azure Relevant to IT Professionals
Microsoft Virtual Academy
Microsoft Virtual Academy
VNet and Cross-Premises Connectivity
Presentation transcript:

Hyper-V Networking Symon Perriman Jeff Woolsey Technical Evangelist Principal Program Manager

Introduction to Hyper-V Jump Start First Half Second Half (01) Introduction to Microsoft Virtualization (05) Hyper-V Management (02) Hyper-V Infrastructure (06) Hyper-V High Availability and Live Migration (03) Hyper-V Networking (07) Integration with System Center 2012 Virtual Machine Manager (04) Hyper-V Storage (08) Integration with Other System Center 2012 Components ** MEAL BREAK **

Agenda Virtual networks Software Defined Networking Hyper-V Extensible Switch Network teaming Guest Network Load Balancing

Virtual Networks 10/9/2017 7:08 PM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Switch Architecture Implemented as an NDIS 6.0 MUX driver Binds to network adapters as a protocol driver Can enumerate a single-host interface Basic layer-2 switch functionality Dynamically “learns” port to MAC mappings Implements VLANs Does not implement spanning trees Does not implement layer 3

Configuring Virtual Networks Configured from Virtual Switch Manager External networks VMs can communicate with other computers on the network Only 1 per physical NIC Internal networks VMs can communicate with only other VMs on the same host, and with the host computer Private networks VMs can communicate only with other VMs on the same host

Virtual Network Adapters Synthetic Adapters Not based on a physical device Doesn’t support PXE boot Significantly higher performance vs. emulated Drivers provided for supported operating systems Windows Server 2012 extensible switch Legacy (Emulated) Adapters Emulates a physical DEC21140 chipset Supports PXE boot Drivers exist for most operating systems Windows Server 2003 SP2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Linux (SLES 10, 11) RHEL 5.x/6.x CentOS 5.x/6.x Windows XP Windows Vista Windows 7 Windows 8 OpenSUSE Etc.

Network Considerations Customers How do I ensure network multi-tenancy? IP Address Management is a pain. What if VMs are competing for bandwidth? Fully Leverage Network Fabric How do I integrate with existing fabric? Network Metering? Can I dedicate a NIC to a workload?

Hybrid Clouds Windows Server 2012 is optimized for Hybrid Clouds to host multi-tenant workloads Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads

Even when hardware fails … … customers want continuous availability Reliability Even when hardware fails … … customers want continuous availability TEAMING Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads : Customers don’t want to be impacted by the hosters hardware problems. Hosters want to differentiate by being able to offer always up/on guarantees while accounting for potential hardware failures in the network.

Predictability Even when multiple VMs are competing for bandwidth … … customers want predictability Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads 15 $$ : Great opportunity to talk about the cloud admins ability to offer differentiated services esp around network workloads on shared infrastructure. For the first time a “Gold” customer can be hosted on the same hardware as a “Bronze” customer without any worry that the “Bronze” customer can impact the networking guarantee of the “Gold” customer. 25 $$$$

Security In a multi-tenant environment … … customers want security and isolation Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads

Multi-Tenant Network Requirements Tenant wants to easily move VMs to/from the cloud Hoster wants to place VMs anywhere in the data center Both want: Easy Onboarding, Flexibility & Isolation Woodgrove Bank Blue 10.1.0.0/16 Cloud Data Center Contoso Bank Red 10.1.0.0/16

One Solution: PVLAN Isolation Scenario Community Scenario Isolated Green 10.1.1.31 Blue 10.1.1.21 Red1 10.1.1.11 Red2 10.1.1.12 Hyper-V Switch Isolated 4, 7 Isolated 4, 7 Community 4, 9 Community 4, 9 Win 8 Host Isolation Scenario Hoster wants to isolate all VMs from each other and allow internet connectivity #1 Customer Ask from hosters Community Scenario Hoster wants tenant VMs to interact with each other but not with other tenant VMs Requires a VLAN id for each “community” (limited scalability, only 4095 VLAN IDs) To Internet (10.1.1.1)

Software Defined Networking 10/9/2017 7:08 PM Software Defined Networking © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Software Defined Networking (SDN) 10/9/2017 Software Defined Networking (SDN) An SDN solution can accomplish several things Create virtual networks that run on top of the physical network Control traffic flow within the datacenter Create integrated policies that span the physical and virtual networks On a per-VM basis, configure security policies that limit the types of traffic (and destinations) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

SDN: Network Virtualization Woodgrove network Contoso network Woodgrove VM Contoso VM Physical server Physical network Hyper-V Machine Virtualization Run multiple virtual servers on a physical server Each VM has illusion it is running as a physical server Hyper-V Network Virtualization Run multiple virtual networks on a physical network Each virtual network has illusion it is running as a physical fabric

Software Defined Networking (SDN) 10/9/2017 Software Defined Networking (SDN) How network virtualization works Two IP addresses for each virtual machine General Routing Encapsulation (GRE) IP address rewrite Policy management server Problems solved Removes VLAN constraints Eliminates hierarchical IP address assignment for virtual machines On a per-VM basis, configure security policies that limit the types of traffic (and destinations) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Generic Routing Encapsulation (GRE) 10/9/2017 Generic Routing Encapsulation (GRE) How GRE works Defined by RFC 2784 and 2890 One customer address per virtual machine One provider address per host Tenant network ID MAC header Benefits Lowers burden on switches Allows traffic analysis, metering and control Enable Live Migration across subnets © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extensibility Customers want specialized functionality with lots of choice … … for firewalls, monitoring and physical fabric integration Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads

Hyper-V Extensible Switch 10/9/2017 7:08 PM Hyper-V Extensible Switch © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Hyper-V Extensible Switch 10/9/2017 Hyper-V Extensible Switch The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools Windows PowerShell & WMI Management PVLANS ARP/ND Poisoning Protection DHCP Guard Protection Virtual Port ACLs Trunk Mode to Virtual Machines Monitoring & Port Mirroring © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Hyper-V Extensible Switch VM NIC VM1 VM NIC VM2 Root Partition Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs Windows Antivirus and Firewall software uses WFP for traffic filtering Example: Virtual Firewall by 5NINE Software Forwarding extensions direct traffic, defining the destination(s) of each packet Forwarding extensions can capture and filter traffic Examples: Cisco Nexus 1000V and UCS NEC ProgrammableFlow's vPFS OpenFlow Capture extensions can inspect traffic and generate new traffic for report purposes Capture extensions do not modify existing Extensible Switch traffic Example: sflow by inMon Host NIC Filtering Engine BFE Service Firewall Callout Extensible Switch Extension Protocol Capture Extensions (NDIS) Windows Filter Platform (WFP) Forwarding Extensions Forwarding Extensions (NDIS) Extension Miniport Physical NIC

Feature Rich Networking in the Box 10/9/2017 7:08 PM Feature Rich Networking in the Box Open, Extensible Virtual Switch Nexus 1000 Support Openflow Support Network Introspection Much more… Advanced Networking ACLs PVLAN …much more… Windows NIC Teaming Network QoS Per VNIC bandwidth reservation & limits Network Metering DVMQ SR-IOV Network Support Reduce Latency & CPU Utilization Supports Live Migration Microsoft Confidential

Single-Root I/O Virtualization (SR-IOV) Reduces latency of network path Reduces CPU utilization for processing network traffic Increases throughput Direct device assignment to virtual machines without compromising flexibility Supports Live Migration Root Partition Virtual Machine Hyper-V Switch Routing VLAN Filtering Data Copy Virtual NIC VMBUS Virtual Function SR-IOV Physical NIC Physical NIC Network I/O path with SR-IOV Network I/O path without SR-IOV

SR-IOV Enabling & Live Migration Turn On IOV Live Migration Post Migration Enable IOV (VM NIC Property) Break Team Reassign Virtual Function Assuming resources are available Virtual Function is “Assigned” Remove VF from VM Team automatically created Migrate as normal Traffic flows through VF Software path is not used Virtual Machine Network Stack Software NIC “TEAM” “TEAM” Software NIC VM has connectivity even if Switch not in IOV mode IOV physical NIC not present Different NIC vendor Different NIC firmware Software Switch (IOV Mode) Software Switch (IOV Mode) Virtual Function Virtual Function SR-IOV Physical NIC Physical NIC SR-IOV Physical NIC

DVMQ vs. SR-IOV Considerations DVMQ Pros: Improves VM Performance Provides Receive Side Scaling benefits by spreading network load across multiple logical processors Can use the Hyper-V Extensible Switch DVMQ Cons: If you need greater than 10 Gb/E for a workload, SR-IOV is likely the better choice SR-IOV Pros: Great performance Great for low latency workloads SR-IOV Cons: Bypasses the virtual switch

Cloud Admins Want Scale, Customers Perf DVMQ, IPsec Task Offload, SR-IOV IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter. SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources. Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.

Advanced Network Security DHCP Guard, Router Guard, Monitor Port DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers. Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers. Monitor Mode duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)

Manage to a Service Level Agreement Network Bandwidth & QoS Bandwidth Management allows you to easily reserve minimum or set maximums to provide QoS controls to manage to a service level agreement

Port Mirroring Provided by the Hyper-V Extensible switch 10/9/2017 Port Mirroring Provided by the Hyper-V Extensible switch Administrator can run security and diagnostics applications in virtual machines that can monitor virtual machine network traffic Port mirroring also supports live migration of extension configurations Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10/9/2017 7:08 PM Network Teaming © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Server 2012 Network Teaming Failover teaming Typically two interfaces Typically connected to different switches Provides redundancy for NIC card, cable, or switch failure Aggregation/load balancing teams Two or more interfaces Divides network traffic between active interfaces by MAC/IP address or protocol Redundancy for NIC card or cable failure Microsoft Supported

Port ACL A rule that you can apply to a Hyper-V switch port Can allow or deny packets Inbound or outbound control ACLs have three elements with the following structure Local or Remote Address Direction Action Add-VMNetworkAdapterAcl

PVLANS PVLAN addresses some of the scalability issues of VLANs Set as a switch port property PVLAN has two VLAN IDs: a primary VLAN ID and a secondary VLAN ID PVLAN may be in one of three modes Isolated Promiscuous Community Set-VMNetworkAdapterVlan

Trunk Mode Hyper-V Virtual Switch provides support for VLAN Trunk mode Provides network services on a virtual machine with the ability to see traffic from multiple VLANS The switch port receives traffic from all VLANs are in an allowed VLAN list Set-VMNetworkAdapterVlan

Networking Performance 10/9/2017 Networking Performance The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines Dynamic VMq Dynamically span multiple CPUs when processing virtual machine network traffic IPsec Task Offload Offload IPsec processing from within virtual machine, to physical network adaptor, enhancing performance SR-IOV Support Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Network Load Balancing 10/9/2017 7:08 PM Network Load Balancing © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

VMs Using Network Load Balancing To configure VMs in a Network Load Balancing (NLB) cluster, enable MAC address spoofing This ensures the virtual switch will not learn MAC addresses, a requirement for NLB to function correctly VMQ does not work with NLB NLB changes the virtual MAC addresses which prevents Hyper-V from dispatching the packets directly to the guest’s queue

Windows NIC Teaming in box. 10/9/2017 7:08 PM Windows Server 2012 Networking: It’s All There Feature rich, extensible, in the box, no compromises Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 NIC Teaming Yes, via partners Windows NIC Teaming in box. VLAN Tagging Yes MAC Spoofing Protection No Yes, with R2 SP1 ARP Spoofing Protection SR-IOV Networking Network QoS Network Metering Network Monitor Modes IPsec Task Offload VM Trunk Mode Microsoft Confidential

Takeaways Hyper-V is fully integrated in the Windows network stack 10/9/2017 Takeaways Hyper-V is fully integrated in the Windows network stack Use the synthetic network adapter Use VLAN tagging & firewall rules for security Windows Server 2012 includes inbox NIC Teaming for load balancing and failover VMQ provides great performance for most workloads SR-IOV for low latency, high throughput workloads © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Configuring (MAC) Address Pools Hyper-V Microsoft reserved first 3 sextet 00-15-5d-**-**-** Each host has a random pool 00-15-5D-**-**-00 Sysprepping after installing Hyper-V will cause both hosts to have the same pool Default range of 256 addresses 00-15-5D-**-**-FF Will avoid conflicts on the same host Use Microsoft System Center 2012 Service Pack 1 – Virtual Machine Manager (VMM) to avoid conflicts across hosts VMM Uses broader range than Hyper-V First three sextets standard, but changeable 00-1D-D8-**-**-** Default range of 3,998,719 addresses 00-1D-D8-B7-1C-00 00-1D-D8-F4-1F-FF If changing the first three sextets do not used reserved ranges from Microsoft, VMware, or Citrix

10/9/2017 7:08 PM Virtual LAN © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual LAN (VLAN) IEEE 802.1Q - Layer 2 extension of Ethernet to allow multiple bridged networks to share a common physical link Egress (outbound) network frames are “tagged” with a VLAN identifier (tag) Ingress (inbound) network frames are stripped of their VLAN identifier (tag) A VLAN ID is the integer which uniquely identifies a node as belonging to a particular VLAN. As per the 802.1Q specification, the VLAN ID itself is encapsulated within the Ethernet frame, which is how multiple VMs using the same physical NIC can communication on different VLANs simultaneously.

VLAN Tagging Methods Virtual NIC tagging Static switch port tags VLAN specified per virtual NIC Configured In Hyper-V and VMM UI and APIs Static switch port tags VLAN specified per physical switch port Configured on physical network switch MAC address tagging MAC address to VLAN mapping created Physical NIC tagging VLAN specified on the physical NIC First, you need physical NICs which support VLAN tagging and you need to enable the feature. However, you should generally not set the VLAN ID at the physical NIC; it should be set on either the virtual switch or the individual virtual machine’s configuration. The VLAN ID on the virtual switch is what the host or parent partition uses. The VLAN ID setting on the individual virtual machine’s settings is what each VM will use. When creating an external network in Hyper-V, a virtual network switch is created and bound to the selected physical adapter. A new virtual network adapter is created in the parent partition and connected to the virtual network switch. Child partitions can be bound to the virtual network switch by using virtual network adapters. Hyper-V also supports the use of VLANs and VLAN IDs with the virtual network switch and virtual network adapters. Hyper-V leverages 802.1q VLAN trunking to achieve this objective.

VLAN Tags VLANs are used to isolate network traffic for nodes that are connected to the same physical network Use VLANs to Isolate Hyper-V host management networks Isolate virtual machines connected to external networks Isolate virtual machines on a single host computer To enable Virtual Local Area Network Identification (VLAN ID) for a virtual network, click to select the Enable virtual LAN identification check box to enable VLAN ID and to specify an ID. You specify an ID under Virtual Network Properties on the Virtual Network Manager page in the Hyper-V Manager. To enable VLAN ID for a virtual machine, access the properties of the virtual machine, and then select the virtual network adapter. Click to select the Enable virtual LAN identification check box to enable VLAN tagging and to specify an ID that you want the virtual machine connection to use. A virtual machine may have multiple network adapters, and all these adapters may use either the same or different VLAN IDs. Therefore, you must perform this action on each network adapter. Consider drawing a diagram to discuss the different ways that VLANs can be used. Ensure that you show the network switch on the diagram to reinforce the concept that the VLANs must be configured on the network switch. Also emphasize that the network switch must be configured to use VLAN identifiers and not port based VLANs. 49

Configuring VLAN Tags Configure VLAN identifiers VM Properties On internal and external virtual networks On the network adapters attached to virtual machines VM Properties Virtual Network VLAN Tags are used to improve security by isolated specific hosts on specific networks Tags need to be configured on both the VM and host

Quality of Service (QoS) and Data Center Bridging (DCB) 10/9/2017 7:08 PM Quality of Service (QoS) and Data Center Bridging (DCB) © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Hyper-V QoS Maximum and minimum Management OS VM 1 VM n Live Migration Phy NIC   Load-Balancing Failover (LBFO) Team NIC Hyper-V virtual switch VM 1 VM n Management OS Live Migration Storage Management Target Use Ensuring workloads have fair sharing, e.g. equal weights between VMs Maximum and minimum

Minimum Bandwidth Modes Absolute mode Configure bandwidth directly in bits per second Prohibits over-subscription Requires careful planning Weights mode Configure weight relative to other flows B/W percentage of flow = 𝑊𝑒𝑖𝑔ℎ𝑡 𝑜𝑓 𝑓𝑙𝑜𝑤 𝑆𝑢𝑚 𝑜𝑓 𝑤𝑒𝑖𝑔ℎ𝑡 𝑜𝑓 𝑎𝑙𝑙 𝑓𝑙𝑜𝑤𝑠 x 100 Automatically adjusted for transition between 1G and 10G

Default Flow Per Virtual Switch Customers may group a number of VMs that each don’t have minimum bandwidth. They will be bucketized into a default flow which has minimum weight allocation. This is to prevent starvation. VM1 VM2 Gold Tenant ? ? 10 Hyper-V Extensible Switch 1 Gbps

Maximum Bandwidth for Tenants One common customer pain point is WAN links are expensive Cap VM throughput to the Internet to avoid bill shock Unified Remote Access Gateway <100Mb ∞ Hyper-V Extensible Switch Internet Intranet

QoS (or DCB) in Network Adapter Data center bridging is IEEE standards Allow customers to manage bandwidth for traffic offloaded to network adapter Support flow control* per specific type of traffic that is sensitive to packet loss DCB is almost a commodity feature now as most IHVs support it in 10GbE * Priority-based flow control must also be supported by a remote device (typically, a switch)

Data Center Bridging on Windows Server 2012 QoS Application Application Application PowerShell WMI Application Winsock File I/O API Traffic Classification Windows Network Stack Windows Storage Stack Up to 8 classes DCB LAN Miniport iSCSI Miniport

Data Center Bridging on Windows Server 2012 QoS Application Application Application PowerShell WMI Application Winsock File I/O API Traffic Classification Windows Network Stack Windows Storage Stack Up to 8 classes kRDMA DCB LAN Miniport

DHCP Guard DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off Set-VMNetworkAdapter DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard On

ARP/ND Poisoning Protection Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs Protection for both IPv4 and IPv6 ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing. The Hyper-V Extensible Switch provides protection against a malicious virtual machine stealing IP addresses from other virtual machines through ARP spoofing (also known as ARP poisoning in IPv4). With this type of man-in-the-middle attack, a malicious virtual machine sends a fake ARP message, which associates its own MAC address to an IP address that it doesn’t own. Unsuspecting virtual machines send network traffic targeted to that IP address to the MAC address of the malicious virtual machine instead of the intended destination. For IPv6, Windows Server 2012 provides equivalent protection for ND spoofing.

10/9/2017 7:08 PM Diagnostics © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Events Tracing (ETW) Unified logging facility provided by the OS 10/9/2017 Events Tracing (ETW) Unified logging facility provided by the OS Provides holistic view of the system High speed 1200 to 2000 cycles per logging event Low overhead Less than 5% of the total CPU cycles for 20,000 events/sec Works for both user mode applications and drivers Tracing sessions and event provider separated Dynamically enabled or disabled Designed to allow tracing of production code http://msdn.microsoft.com/en-us/library/windows/desktop/dd392330(v=vs.85).aspx Event Tracing for Windows (ETW) provides application programmers the ability to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Unified Tracing A new parameter is added to the Netsh Trace commands 10/9/2017 Unified Tracing A new parameter is added to the Netsh Trace commands The new Netsh Trace parameter, capturetype, can be used to capture Physical computer traffic (traffic that originates or terminates on the physical computer) Virtual machine traffic (traffic that originates or terminates on virtual machines) Traffic that traverses the Hyper-V virtual switch In Windows Server 2012, a new parameter is added to the Netsh Trace commands that are provided in Windows Server 2008 R2. The new parameter extends tracing capabilities and enables network administrators more efficiently capture network traffic, making the process of troubleshooting network issues more effective and efficient. In Windows Server 2012, you can use the new Netsh Trace parameter, capturetype, to capture: Physical computer traffic (traffic that originates or terminates on the physical computer) Virtual machine traffic (traffic that originates or terminates on virtual machines) Traffic that traverses the Hyper-V virtual switch The combination of these new capabilities with the tracing capabilities that are provided in Windows Server 2008 R2 is known as Unified Tracing. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.