Download presentation
Presentation is loading. Please wait.
1
Hyper-V Networking Symon Perriman Jeff Woolsey
Technical Evangelist Principal Program Manager
2
Introduction to Hyper-V Jump Start
First Half Second Half (01) Introduction to Microsoft Virtualization (05) Hyper-V Management (02) Hyper-V Infrastructure (06) Hyper-V High Availability and Live Migration (03) Hyper-V Networking (07) Integration with System Center 2012 Virtual Machine Manager (04) Hyper-V Storage (08) Integration with Other System Center 2012 Components ** MEAL BREAK **
3
Agenda Virtual networks Software Defined Networking
Hyper-V Extensible Switch Network teaming Guest Network Load Balancing
4
Virtual Networks 10/9/2017 7:08 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
5
Virtual Switch Architecture
Implemented as an NDIS 6.0 MUX driver Binds to network adapters as a protocol driver Can enumerate a single-host interface Basic layer-2 switch functionality Dynamically “learns” port to MAC mappings Implements VLANs Does not implement spanning trees Does not implement layer 3
6
Configuring Virtual Networks
Configured from Virtual Switch Manager External networks VMs can communicate with other computers on the network Only 1 per physical NIC Internal networks VMs can communicate with only other VMs on the same host, and with the host computer Private networks VMs can communicate only with other VMs on the same host
7
Virtual Network Adapters
Synthetic Adapters Not based on a physical device Doesn’t support PXE boot Significantly higher performance vs. emulated Drivers provided for supported operating systems Windows Server 2012 extensible switch Legacy (Emulated) Adapters Emulates a physical DEC21140 chipset Supports PXE boot Drivers exist for most operating systems Windows Server 2003 SP2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Linux (SLES 10, 11) RHEL 5.x/6.x CentOS 5.x/6.x Windows XP Windows Vista Windows 7 Windows 8 OpenSUSE Etc.
8
Network Considerations Customers
How do I ensure network multi-tenancy? IP Address Management is a pain. What if VMs are competing for bandwidth? Fully Leverage Network Fabric How do I integrate with existing fabric? Network Metering? Can I dedicate a NIC to a workload?
9
Hybrid Clouds Windows Server 2012 is optimized for Hybrid Clouds to host multi-tenant workloads Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads
10
Even when hardware fails … … customers want continuous availability
Reliability Even when hardware fails … … customers want continuous availability TEAMING Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads : Customers don’t want to be impacted by the hosters hardware problems. Hosters want to differentiate by being able to offer always up/on guarantees while accounting for potential hardware failures in the network.
11
Predictability Even when multiple VMs are competing for bandwidth … … customers want predictability Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads 15 $$ : Great opportunity to talk about the cloud admins ability to offer differentiated services esp around network workloads on shared infrastructure. For the first time a “Gold” customer can be hosted on the same hardware as a “Bronze” customer without any worry that the “Bronze” customer can impact the networking guarantee of the “Gold” customer. 25 $$$$
12
Security In a multi-tenant environment … … customers want security and isolation Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads
13
Multi-Tenant Network Requirements
Tenant wants to easily move VMs to/from the cloud Hoster wants to place VMs anywhere in the data center Both want: Easy Onboarding, Flexibility & Isolation Woodgrove Bank Blue /16 Cloud Data Center Contoso Bank Red /16
14
One Solution: PVLAN Isolation Scenario Community Scenario Isolated
Green Blue Red1 Red2 Hyper-V Switch Isolated 4, 7 Isolated 4, 7 Community 4, 9 Community 4, 9 Win 8 Host Isolation Scenario Hoster wants to isolate all VMs from each other and allow internet connectivity #1 Customer Ask from hosters Community Scenario Hoster wants tenant VMs to interact with each other but not with other tenant VMs Requires a VLAN id for each “community” (limited scalability, only 4095 VLAN IDs) To Internet ( )
15
Software Defined Networking
10/9/2017 7:08 PM Software Defined Networking © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
16
Software Defined Networking (SDN)
10/9/2017 Software Defined Networking (SDN) An SDN solution can accomplish several things Create virtual networks that run on top of the physical network Control traffic flow within the datacenter Create integrated policies that span the physical and virtual networks On a per-VM basis, configure security policies that limit the types of traffic (and destinations) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
17
SDN: Network Virtualization
Woodgrove network Contoso network Woodgrove VM Contoso VM Physical server Physical network Hyper-V Machine Virtualization Run multiple virtual servers on a physical server Each VM has illusion it is running as a physical server Hyper-V Network Virtualization Run multiple virtual networks on a physical network Each virtual network has illusion it is running as a physical fabric
18
Software Defined Networking (SDN)
10/9/2017 Software Defined Networking (SDN) How network virtualization works Two IP addresses for each virtual machine General Routing Encapsulation (GRE) IP address rewrite Policy management server Problems solved Removes VLAN constraints Eliminates hierarchical IP address assignment for virtual machines On a per-VM basis, configure security policies that limit the types of traffic (and destinations) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
19
Generic Routing Encapsulation (GRE)
10/9/2017 Generic Routing Encapsulation (GRE) How GRE works Defined by RFC 2784 and 2890 One customer address per virtual machine One provider address per host Tenant network ID MAC header Benefits Lowers burden on switches Allows traffic analysis, metering and control Enable Live Migration across subnets © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
20
Extensibility Customers want specialized functionality with lots of choice … … for firewalls, monitoring and physical fabric integration Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads
21
Hyper-V Extensible Switch
10/9/2017 7:08 PM Hyper-V Extensible Switch © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
22
Hyper-V Extensible Switch
10/9/2017 Hyper-V Extensible Switch The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools Windows PowerShell & WMI Management PVLANS ARP/ND Poisoning Protection DHCP Guard Protection Virtual Port ACLs Trunk Mode to Virtual Machines Monitoring & Port Mirroring © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
23
Hyper-V Extensible Switch
VM NIC VM1 VM NIC VM2 Root Partition Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs Windows Antivirus and Firewall software uses WFP for traffic filtering Example: Virtual Firewall by 5NINE Software Forwarding extensions direct traffic, defining the destination(s) of each packet Forwarding extensions can capture and filter traffic Examples: Cisco Nexus 1000V and UCS NEC ProgrammableFlow's vPFS OpenFlow Capture extensions can inspect traffic and generate new traffic for report purposes Capture extensions do not modify existing Extensible Switch traffic Example: sflow by inMon Host NIC Filtering Engine BFE Service Firewall Callout Extensible Switch Extension Protocol Capture Extensions (NDIS) Windows Filter Platform (WFP) Forwarding Extensions Forwarding Extensions (NDIS) Extension Miniport Physical NIC
24
Feature Rich Networking in the Box
10/9/2017 7:08 PM Feature Rich Networking in the Box Open, Extensible Virtual Switch Nexus 1000 Support Openflow Support Network Introspection Much more… Advanced Networking ACLs PVLAN …much more… Windows NIC Teaming Network QoS Per VNIC bandwidth reservation & limits Network Metering DVMQ SR-IOV Network Support Reduce Latency & CPU Utilization Supports Live Migration Microsoft Confidential
25
Single-Root I/O Virtualization (SR-IOV)
Reduces latency of network path Reduces CPU utilization for processing network traffic Increases throughput Direct device assignment to virtual machines without compromising flexibility Supports Live Migration Root Partition Virtual Machine Hyper-V Switch Routing VLAN Filtering Data Copy Virtual NIC VMBUS Virtual Function SR-IOV Physical NIC Physical NIC Network I/O path with SR-IOV Network I/O path without SR-IOV
26
SR-IOV Enabling & Live Migration
Turn On IOV Live Migration Post Migration Enable IOV (VM NIC Property) Break Team Reassign Virtual Function Assuming resources are available Virtual Function is “Assigned” Remove VF from VM Team automatically created Migrate as normal Traffic flows through VF Software path is not used Virtual Machine Network Stack Software NIC “TEAM” “TEAM” Software NIC VM has connectivity even if Switch not in IOV mode IOV physical NIC not present Different NIC vendor Different NIC firmware Software Switch (IOV Mode) Software Switch (IOV Mode) Virtual Function Virtual Function SR-IOV Physical NIC Physical NIC SR-IOV Physical NIC
27
DVMQ vs. SR-IOV Considerations
DVMQ Pros: Improves VM Performance Provides Receive Side Scaling benefits by spreading network load across multiple logical processors Can use the Hyper-V Extensible Switch DVMQ Cons: If you need greater than 10 Gb/E for a workload, SR-IOV is likely the better choice SR-IOV Pros: Great performance Great for low latency workloads SR-IOV Cons: Bypasses the virtual switch
28
Cloud Admins Want Scale, Customers Perf DVMQ, IPsec Task Offload, SR-IOV
IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter. SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources. Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.
29
Advanced Network Security DHCP Guard, Router Guard, Monitor Port
DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers. Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers. Monitor Mode duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)
30
Manage to a Service Level Agreement Network Bandwidth & QoS
Bandwidth Management allows you to easily reserve minimum or set maximums to provide QoS controls to manage to a service level agreement
31
Port Mirroring Provided by the Hyper-V Extensible switch
10/9/2017 Port Mirroring Provided by the Hyper-V Extensible switch Administrator can run security and diagnostics applications in virtual machines that can monitor virtual machine network traffic Port mirroring also supports live migration of extension configurations Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
32
10/9/2017 7:08 PM Network Teaming © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
33
Windows Server 2012 Network Teaming
Failover teaming Typically two interfaces Typically connected to different switches Provides redundancy for NIC card, cable, or switch failure Aggregation/load balancing teams Two or more interfaces Divides network traffic between active interfaces by MAC/IP address or protocol Redundancy for NIC card or cable failure Microsoft Supported
34
Port ACL A rule that you can apply to a Hyper-V switch port
Can allow or deny packets Inbound or outbound control ACLs have three elements with the following structure Local or Remote Address Direction Action Add-VMNetworkAdapterAcl
35
PVLANS PVLAN addresses some of the scalability issues of VLANs
Set as a switch port property PVLAN has two VLAN IDs: a primary VLAN ID and a secondary VLAN ID PVLAN may be in one of three modes Isolated Promiscuous Community Set-VMNetworkAdapterVlan
36
Trunk Mode Hyper-V Virtual Switch provides support for VLAN Trunk mode
Provides network services on a virtual machine with the ability to see traffic from multiple VLANS The switch port receives traffic from all VLANs are in an allowed VLAN list Set-VMNetworkAdapterVlan
37
Networking Performance
10/9/2017 Networking Performance The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines Dynamic VMq Dynamically span multiple CPUs when processing virtual machine network traffic IPsec Task Offload Offload IPsec processing from within virtual machine, to physical network adaptor, enhancing performance SR-IOV Support Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
38
Network Load Balancing
10/9/2017 7:08 PM Network Load Balancing © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39
VMs Using Network Load Balancing
To configure VMs in a Network Load Balancing (NLB) cluster, enable MAC address spoofing This ensures the virtual switch will not learn MAC addresses, a requirement for NLB to function correctly VMQ does not work with NLB NLB changes the virtual MAC addresses which prevents Hyper-V from dispatching the packets directly to the guest’s queue
40
Windows NIC Teaming in box.
10/9/2017 7:08 PM Windows Server 2012 Networking: It’s All There Feature rich, extensible, in the box, no compromises Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 NIC Teaming Yes, via partners Windows NIC Teaming in box. VLAN Tagging Yes MAC Spoofing Protection No Yes, with R2 SP1 ARP Spoofing Protection SR-IOV Networking Network QoS Network Metering Network Monitor Modes IPsec Task Offload VM Trunk Mode Microsoft Confidential
41
Takeaways Hyper-V is fully integrated in the Windows network stack
10/9/2017 Takeaways Hyper-V is fully integrated in the Windows network stack Use the synthetic network adapter Use VLAN tagging & firewall rules for security Windows Server 2012 includes inbox NIC Teaming for load balancing and failover VMQ provides great performance for most workloads SR-IOV for low latency, high throughput workloads © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
44
Appendix
45
Configuring (MAC) Address Pools
Hyper-V Microsoft reserved first 3 sextet d-**-**-** Each host has a random pool D-**-**-00 Sysprepping after installing Hyper-V will cause both hosts to have the same pool Default range of 256 addresses D-**-**-FF Will avoid conflicts on the same host Use Microsoft System Center 2012 Service Pack 1 – Virtual Machine Manager (VMM) to avoid conflicts across hosts VMM Uses broader range than Hyper-V First three sextets standard, but changeable 00-1D-D8-**-**-** Default range of 3,998,719 addresses 00-1D-D8-B7-1C-00 00-1D-D8-F4-1F-FF If changing the first three sextets do not used reserved ranges from Microsoft, VMware, or Citrix
46
10/9/2017 7:08 PM Virtual LAN © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
47
Virtual LAN (VLAN) IEEE 802.1Q - Layer 2 extension of Ethernet to allow multiple bridged networks to share a common physical link Egress (outbound) network frames are “tagged” with a VLAN identifier (tag) Ingress (inbound) network frames are stripped of their VLAN identifier (tag) A VLAN ID is the integer which uniquely identifies a node as belonging to a particular VLAN. As per the 802.1Q specification, the VLAN ID itself is encapsulated within the Ethernet frame, which is how multiple VMs using the same physical NIC can communication on different VLANs simultaneously.
48
VLAN Tagging Methods Virtual NIC tagging Static switch port tags
VLAN specified per virtual NIC Configured In Hyper-V and VMM UI and APIs Static switch port tags VLAN specified per physical switch port Configured on physical network switch MAC address tagging MAC address to VLAN mapping created Physical NIC tagging VLAN specified on the physical NIC First, you need physical NICs which support VLAN tagging and you need to enable the feature. However, you should generally not set the VLAN ID at the physical NIC; it should be set on either the virtual switch or the individual virtual machine’s configuration. The VLAN ID on the virtual switch is what the host or parent partition uses. The VLAN ID setting on the individual virtual machine’s settings is what each VM will use. When creating an external network in Hyper-V, a virtual network switch is created and bound to the selected physical adapter. A new virtual network adapter is created in the parent partition and connected to the virtual network switch. Child partitions can be bound to the virtual network switch by using virtual network adapters. Hyper-V also supports the use of VLANs and VLAN IDs with the virtual network switch and virtual network adapters. Hyper-V leverages 802.1q VLAN trunking to achieve this objective.
49
VLAN Tags VLANs are used to isolate network traffic for nodes that are connected to the same physical network Use VLANs to Isolate Hyper-V host management networks Isolate virtual machines connected to external networks Isolate virtual machines on a single host computer To enable Virtual Local Area Network Identification (VLAN ID) for a virtual network, click to select the Enable virtual LAN identification check box to enable VLAN ID and to specify an ID. You specify an ID under Virtual Network Properties on the Virtual Network Manager page in the Hyper-V Manager. To enable VLAN ID for a virtual machine, access the properties of the virtual machine, and then select the virtual network adapter. Click to select the Enable virtual LAN identification check box to enable VLAN tagging and to specify an ID that you want the virtual machine connection to use. A virtual machine may have multiple network adapters, and all these adapters may use either the same or different VLAN IDs. Therefore, you must perform this action on each network adapter. Consider drawing a diagram to discuss the different ways that VLANs can be used. Ensure that you show the network switch on the diagram to reinforce the concept that the VLANs must be configured on the network switch. Also emphasize that the network switch must be configured to use VLAN identifiers and not port based VLANs. 49
50
Configuring VLAN Tags Configure VLAN identifiers VM Properties
On internal and external virtual networks On the network adapters attached to virtual machines VM Properties Virtual Network VLAN Tags are used to improve security by isolated specific hosts on specific networks Tags need to be configured on both the VM and host
51
Quality of Service (QoS) and Data Center Bridging (DCB)
10/9/2017 7:08 PM Quality of Service (QoS) and Data Center Bridging (DCB) © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
52
Hyper-V QoS Maximum and minimum Management OS VM 1 VM n Live Migration
Phy NIC Load-Balancing Failover (LBFO) Team NIC Hyper-V virtual switch VM 1 VM n Management OS Live Migration Storage Management Target Use Ensuring workloads have fair sharing, e.g. equal weights between VMs Maximum and minimum
53
Minimum Bandwidth Modes
Absolute mode Configure bandwidth directly in bits per second Prohibits over-subscription Requires careful planning Weights mode Configure weight relative to other flows B/W percentage of flow = 𝑊𝑒𝑖𝑔ℎ𝑡 𝑜𝑓 𝑓𝑙𝑜𝑤 𝑆𝑢𝑚 𝑜𝑓 𝑤𝑒𝑖𝑔ℎ𝑡 𝑜𝑓 𝑎𝑙𝑙 𝑓𝑙𝑜𝑤𝑠 x 100 Automatically adjusted for transition between 1G and 10G
54
Default Flow Per Virtual Switch
Customers may group a number of VMs that each don’t have minimum bandwidth. They will be bucketized into a default flow which has minimum weight allocation. This is to prevent starvation. VM1 VM2 Gold Tenant ? ? 10 Hyper-V Extensible Switch 1 Gbps
55
Maximum Bandwidth for Tenants
One common customer pain point is WAN links are expensive Cap VM throughput to the Internet to avoid bill shock Unified Remote Access Gateway <100Mb ∞ Hyper-V Extensible Switch Internet Intranet
56
QoS (or DCB) in Network Adapter
Data center bridging is IEEE standards Allow customers to manage bandwidth for traffic offloaded to network adapter Support flow control* per specific type of traffic that is sensitive to packet loss DCB is almost a commodity feature now as most IHVs support it in 10GbE * Priority-based flow control must also be supported by a remote device (typically, a switch)
57
Data Center Bridging on Windows Server 2012
QoS Application Application Application PowerShell WMI Application Winsock File I/O API Traffic Classification Windows Network Stack Windows Storage Stack Up to 8 classes DCB LAN Miniport iSCSI Miniport
58
Data Center Bridging on Windows Server 2012
QoS Application Application Application PowerShell WMI Application Winsock File I/O API Traffic Classification Windows Network Stack Windows Storage Stack Up to 8 classes kRDMA DCB LAN Miniport
59
DHCP Guard DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off Set-VMNetworkAdapter DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard On
60
ARP/ND Poisoning Protection
Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs Protection for both IPv4 and IPv6 ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing. The Hyper-V Extensible Switch provides protection against a malicious virtual machine stealing IP addresses from other virtual machines through ARP spoofing (also known as ARP poisoning in IPv4). With this type of man-in-the-middle attack, a malicious virtual machine sends a fake ARP message, which associates its own MAC address to an IP address that it doesn’t own. Unsuspecting virtual machines send network traffic targeted to that IP address to the MAC address of the malicious virtual machine instead of the intended destination. For IPv6, Windows Server 2012 provides equivalent protection for ND spoofing.
61
10/9/2017 7:08 PM Diagnostics © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
62
Events Tracing (ETW) Unified logging facility provided by the OS
10/9/2017 Events Tracing (ETW) Unified logging facility provided by the OS Provides holistic view of the system High speed 1200 to 2000 cycles per logging event Low overhead Less than 5% of the total CPU cycles for 20,000 events/sec Works for both user mode applications and drivers Tracing sessions and event provider separated Dynamically enabled or disabled Designed to allow tracing of production code Event Tracing for Windows (ETW) provides application programmers the ability to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
63
Unified Tracing A new parameter is added to the Netsh Trace commands
10/9/2017 Unified Tracing A new parameter is added to the Netsh Trace commands The new Netsh Trace parameter, capturetype, can be used to capture Physical computer traffic (traffic that originates or terminates on the physical computer) Virtual machine traffic (traffic that originates or terminates on virtual machines) Traffic that traverses the Hyper-V virtual switch In Windows Server 2012, a new parameter is added to the Netsh Trace commands that are provided in Windows Server 2008 R2. The new parameter extends tracing capabilities and enables network administrators more efficiently capture network traffic, making the process of troubleshooting network issues more effective and efficient. In Windows Server 2012, you can use the new Netsh Trace parameter, capturetype, to capture: Physical computer traffic (traffic that originates or terminates on the physical computer) Virtual machine traffic (traffic that originates or terminates on virtual machines) Traffic that traverses the Hyper-V virtual switch The combination of these new capabilities with the tracing capabilities that are provided in Windows Server 2008 R2 is known as Unified Tracing. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.