1. Hyper-V Networking Symon Perriman Jeff Woolsey
Technical Evangelist Principal Program Manager

2. Introduction to Hyper-V Jump Start
First Half
Second Half
(01) Introduction to Microsoft Virtualization
(05) Hyper-V Management
(02) Hyper-V Infrastructure
(06) Hyper-V High Availability and Live Migration
(03) Hyper-V Networking
(07) Integration with System Center 2012 Virtual Machine Manager
(04) Hyper-V Storage
(08) Integration with Other System Center 2012 Components
** MEAL BREAK **

3. Agenda Virtual networks Software Defined Networking
Hyper-V Extensible Switch
Network teaming
Guest Network Load Balancing

4. Virtual Networks 10/9/2017 7:08 PM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Virtual Switch Architecture
Implemented as an NDIS 6.0 MUX driver
Binds to network adapters as a protocol driver
Can enumerate a single-host interface
Basic layer-2 switch functionality
Dynamically “learns” port to MAC mappings
Implements VLANs
Does not implement spanning trees
Does not implement layer 3

6. Configuring Virtual Networks
Configured from Virtual Switch Manager
External networks
VMs can communicate with other computers on the network
Only 1 per physical NIC
Internal networks
VMs can communicate with only other VMs on the same host, and with the host computer
Private networks
VMs can communicate only with other VMs on the same host

7. Virtual Network Adapters
Synthetic Adapters
Not based on a physical device
Doesn’t support PXE boot
Significantly higher performance vs. emulated
Drivers provided for supported operating systems
Windows Server 2012 extensible switch
Legacy (Emulated) Adapters
Emulates a physical DEC21140 chipset
Supports PXE boot
Drivers exist for most operating systems
Windows Server 2003 SP2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Linux (SLES 10, 11)
RHEL 5.x/6.x
CentOS 5.x/6.x
Windows XP
Windows Vista
Windows 7
Windows 8
OpenSUSE
Etc.

8. Network Considerations Customers
How do I ensure network multi-tenancy?
IP Address Management is a pain.
What if VMs are competing for bandwidth?
Fully Leverage Network Fabric
How do I integrate with existing fabric?
Network Metering?
Can I dedicate a NIC to a workload?

9. Hybrid Clouds
Windows Server 2012 is optimized for Hybrid Clouds to host multi-tenant workloads
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads

10. Even when hardware fails … … customers want continuous availability
Reliability
Even when hardware fails … … customers want continuous availability
TEAMING
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
: Customers don’t want to be impacted by the hosters hardware problems. Hosters want to differentiate by being able to offer always up/on guarantees while accounting for potential hardware failures in the network.

11. Predictability
Even when multiple VMs are competing for bandwidth … … customers want predictability
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads 15 $$
: Great opportunity to talk about the cloud admins ability to offer differentiated services esp around network workloads on shared infrastructure. For the first time a “Gold” customer can be hosted on the same hardware as a “Bronze” customer without any worry that the “Bronze” customer can impact the networking guarantee of the “Gold” customer. 25
$$$$

12. Security
In a multi-tenant environment … … customers want security and isolation
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads

13. Multi-Tenant Network Requirements
Tenant wants to easily move VMs to/from the cloud
Hoster wants to place VMs anywhere in the data center
Both want: Easy Onboarding, Flexibility & Isolation
Woodgrove Bank
Blue /16
Cloud Data Center
Contoso Bank
Red /16

14. One Solution: PVLAN Isolation Scenario Community Scenario Isolated
Green
Blue
Red1
Red2
Hyper-V Switch
Isolated
4, 7
Isolated
4, 7
Community
4, 9
Community
4, 9
Win 8 Host
Isolation Scenario
Hoster wants to isolate all VMs from each other and allow internet connectivity
#1 Customer Ask from hosters
Community Scenario
Hoster wants tenant VMs to interact with each other but not with other tenant VMs
Requires a VLAN id for each “community” (limited scalability, only 4095 VLAN IDs)
To Internet ( )

15. Software Defined Networking
10/9/2017 7:08 PM
Software Defined Networking
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Software Defined Networking (SDN)
10/9/2017
Software Defined Networking (SDN)
An SDN solution can accomplish several things
Create virtual networks that run on top of the physical network
Control traffic flow within the datacenter
Create integrated policies that span the physical and virtual networks
On a per-VM basis, configure security policies that limit the types of traffic (and destinations)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. SDN: Network Virtualization
Woodgrove network
Contoso network
Woodgrove VM
Contoso VM
Physical
server
Physical network
Hyper-V Machine Virtualization
Run multiple virtual servers on a physical server
Each VM has illusion it is running as a physical server
Hyper-V Network Virtualization
Run multiple virtual networks on a physical network
Each virtual network has illusion it is running as a physical fabric

18. Software Defined Networking (SDN)
10/9/2017
Software Defined Networking (SDN)
How network virtualization works
Two IP addresses for each virtual machine
General Routing Encapsulation (GRE)
IP address rewrite
Policy management server
Problems solved
Removes VLAN constraints
Eliminates hierarchical IP address assignment for virtual machines
On a per-VM basis, configure security policies that limit the types of traffic (and destinations)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Generic Routing Encapsulation (GRE)
10/9/2017
Generic Routing Encapsulation (GRE)
How GRE works
Defined by RFC 2784 and 2890
One customer address per virtual machine
One provider address per host
Tenant network ID
MAC header
Benefits
Lowers burden on switches
Allows traffic analysis, metering and control
Enable Live Migration across subnets
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Extensibility
Customers want specialized functionality with lots of choice … … for firewalls, monitoring and physical fabric integration
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads

21. Hyper-V Extensible Switch
10/9/2017 7:08 PM
Hyper-V Extensible Switch
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Hyper-V Extensible Switch
10/9/2017
Hyper-V Extensible Switch
The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools
Windows PowerShell & WMI Management
PVLANS
ARP/ND Poisoning Protection
DHCP Guard Protection
Virtual Port ACLs
Trunk Mode to Virtual Machines
Monitoring & Port Mirroring
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Hyper-V Extensible Switch
VM NIC
VM1
VM NIC
VM2
Root Partition
Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs
Windows Antivirus and Firewall software uses WFP for traffic filtering
Example: Virtual Firewall by 5NINE Software
Forwarding extensions direct traffic, defining the destination(s) of each packet
Forwarding extensions can capture and filter traffic
Examples:
Cisco Nexus 1000V and UCS
NEC ProgrammableFlow's vPFS OpenFlow
Capture extensions can inspect traffic and generate new traffic for report purposes
Capture extensions do not modify existing Extensible Switch traffic
Example: sflow by inMon
Host NIC
Filtering Engine
BFE Service
Firewall
Callout
Extensible Switch
Extension Protocol
Capture Extensions (NDIS)
Windows Filter Platform (WFP)
Forwarding Extensions
Forwarding Extensions (NDIS)
Extension Miniport
Physical NIC

24. Feature Rich Networking in the Box
10/9/2017 7:08 PM
Feature Rich Networking in the Box
Open, Extensible Virtual Switch
Nexus 1000 Support
Openflow Support
Network Introspection
Much more…
Advanced Networking
ACLs
PVLAN
…much more…
Windows NIC Teaming
Network QoS
Per VNIC bandwidth reservation & limits
Network Metering
DVMQ
SR-IOV Network Support
Reduce Latency & CPU Utilization
Supports Live Migration
Microsoft Confidential

25. Single-Root I/O Virtualization (SR-IOV)
Reduces latency of network path
Reduces CPU utilization for processing network traffic
Increases throughput
Direct device assignment to virtual machines without compromising flexibility
Supports Live Migration
Root Partition
Virtual Machine
Hyper-V Switch
Routing
VLAN Filtering
Data Copy
Virtual NIC
VMBUS
Virtual Function
SR-IOV Physical NIC
Physical NIC
Network I/O path with SR-IOV
Network I/O path without SR-IOV

26. SR-IOV Enabling & Live Migration
Turn On IOV
Live Migration
Post Migration
Enable IOV (VM NIC Property)
Break Team
Reassign Virtual Function
Assuming resources are available
Virtual Function is “Assigned”
Remove VF from VM
Team automatically created
Migrate as normal
Traffic flows through VF
Software path is not used
Virtual Machine
Network Stack
Software NIC
“TEAM”
“TEAM”
Software NIC
VM has connectivity even if
Switch not in IOV mode
IOV physical NIC not present
Different NIC vendor
Different NIC firmware
Software Switch
(IOV Mode)
Software Switch
(IOV Mode)
Virtual Function
Virtual Function
SR-IOV Physical NIC
Physical NIC
SR-IOV Physical NIC

27. DVMQ vs. SR-IOV Considerations
DVMQ Pros:
Improves VM Performance
Provides Receive Side Scaling benefits by spreading network load across multiple logical processors
Can use the Hyper-V Extensible Switch
DVMQ Cons:
If you need greater than 10 Gb/E for a workload, SR-IOV is likely the better choice
SR-IOV Pros:
Great performance
Great for low latency workloads
SR-IOV Cons:
Bypasses the virtual switch

28. Cloud Admins Want Scale, Customers Perf DVMQ, IPsec Task Offload, SR-IOV
IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter.
SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources.
Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.

29. Advanced Network Security DHCP Guard, Router Guard, Monitor Port
DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers.
Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers.
Monitor Mode duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)

30. Manage to a Service Level Agreement Network Bandwidth & QoS
Bandwidth Management allows you to easily reserve minimum or set maximums to provide QoS controls to manage to a service level agreement

31. Port Mirroring Provided by the Hyper-V Extensible switch
10/9/2017
Port Mirroring
Provided by the Hyper-V Extensible switch
Administrator can run security and diagnostics applications in virtual machines that can monitor virtual machine network traffic
Port mirroring also supports live migration of extension configurations
Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. 10/9/2017 7:08 PM
Network Teaming
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. Windows Server 2012 Network Teaming
Failover teaming
Typically two interfaces
Typically connected to different switches
Provides redundancy for NIC card, cable, or switch failure
Aggregation/load balancing teams
Two or more interfaces
Divides network traffic between active interfaces by MAC/IP address or protocol
Redundancy for NIC card or cable failure
Microsoft Supported

34. Port ACL A rule that you can apply to a Hyper-V switch port
Can allow or deny packets
Inbound or outbound control
ACLs have three elements with the following structure
Local or Remote Address
Direction
Action
Add-VMNetworkAdapterAcl

35. PVLANS PVLAN addresses some of the scalability issues of VLANs
Set as a switch port property
PVLAN has two VLAN IDs: a primary VLAN ID and a secondary VLAN ID
PVLAN may be in one of three modes
Isolated
Promiscuous
Community
Set-VMNetworkAdapterVlan

36. Trunk Mode Hyper-V Virtual Switch provides support for VLAN Trunk mode
Provides network services on a virtual machine with the ability to see traffic from multiple VLANS
The switch port receives traffic from all VLANs are in an allowed VLAN list
Set-VMNetworkAdapterVlan

37. Networking Performance
10/9/2017
Networking Performance
The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines
Dynamic VMq
Dynamically span multiple CPUs when processing virtual machine network traffic
IPsec Task Offload
Offload IPsec processing from within virtual machine, to physical network adaptor, enhancing performance
SR-IOV Support
Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Network Load Balancing
10/9/2017 7:08 PM
Network Load Balancing
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. VMs Using Network Load Balancing
To configure VMs in a Network Load Balancing (NLB) cluster, enable MAC address spoofing
This ensures the virtual switch will not learn MAC addresses, a requirement for NLB to function correctly
VMQ does not work with NLB
NLB changes the virtual MAC addresses which prevents Hyper-V from dispatching the packets directly to the guest’s queue

40. Windows NIC Teaming in box.
10/9/2017 7:08 PM
Windows Server 2012 Networking: It’s All There Feature rich, extensible, in the box, no compromises
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
NIC Teaming
Yes, via partners
Windows NIC Teaming in box.
VLAN Tagging
Yes
MAC Spoofing Protection No
Yes, with R2 SP1
ARP Spoofing Protection
SR-IOV Networking
Network QoS
Network Metering
Network Monitor Modes
IPsec Task Offload
VM Trunk Mode
Microsoft Confidential

41. Takeaways Hyper-V is fully integrated in the Windows network stack
10/9/2017
Takeaways
Hyper-V is fully integrated in the Windows network stack
Use the synthetic network adapter
Use VLAN tagging & firewall rules for security
Windows Server 2012 includes inbox NIC Teaming for load balancing and failover
VMQ provides great performance for most workloads
SR-IOV for low latency, high throughput workloads
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. Appendix

45. Configuring (MAC) Address Pools
Hyper-V
Microsoft reserved first 3 sextet
d-**-**-**
Each host has a random pool
D-**-**-00
Sysprepping after installing Hyper-V will cause both hosts to have the same pool
Default range of 256 addresses
D-**-**-FF
Will avoid conflicts on the same host
Use Microsoft System Center 2012 Service Pack 1 – Virtual Machine Manager (VMM) to avoid conflicts across hosts
VMM
Uses broader range than Hyper-V
First three sextets standard, but changeable
00-1D-D8-**-**-**
Default range of 3,998,719 addresses
00-1D-D8-B7-1C-00
00-1D-D8-F4-1F-FF
If changing the first three sextets do not used reserved ranges from Microsoft, VMware, or Citrix

46. 10/9/2017 7:08 PM
Virtual LAN
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47. Virtual LAN (VLAN)
IEEE 802.1Q - Layer 2 extension of Ethernet to allow multiple bridged networks to share a common physical link
Egress (outbound) network frames are “tagged” with a VLAN identifier (tag)
Ingress (inbound) network frames are stripped of their VLAN identifier (tag)
A VLAN ID is the integer which uniquely identifies a node as belonging to a particular VLAN. As per the 802.1Q specification, the VLAN ID itself is encapsulated within the Ethernet frame, which is how multiple VMs using the same physical NIC can communication on different VLANs simultaneously.

48. VLAN Tagging Methods Virtual NIC tagging Static switch port tags
VLAN specified per virtual NIC
Configured In Hyper-V and VMM UI and APIs
Static switch port tags
VLAN specified per physical switch port
Configured on physical network switch
MAC address tagging
MAC address to VLAN mapping created
Physical NIC tagging
VLAN specified on the physical NIC
First, you need physical NICs which support VLAN tagging and you need to enable the feature. However, you should generally not set the VLAN ID at the physical NIC; it should be set on either the virtual switch or the individual virtual machine’s configuration. The VLAN ID on the virtual switch is what the host or parent partition uses. The VLAN ID setting on the individual virtual machine’s settings is what each VM will use.
When creating an external network in Hyper-V, a virtual network switch is created and bound to the selected physical adapter. A new virtual network adapter is created in the parent partition and connected to the virtual network switch. Child partitions can be bound to the virtual network switch by using virtual network adapters.
Hyper-V also supports the use of VLANs and VLAN IDs with the virtual network switch and virtual network adapters. Hyper-V leverages 802.1q VLAN trunking to achieve this objective.

49. VLAN Tags
VLANs are used to isolate network traffic for nodes that are connected to the same physical network
Use VLANs to
Isolate Hyper-V host management networks
Isolate virtual machines connected to external networks
Isolate virtual machines on a single host computer
To enable Virtual Local Area Network Identification (VLAN ID) for a virtual network, click to select the Enable virtual LAN identification check box to enable VLAN ID and to specify an ID. You specify an ID under Virtual Network Properties on the Virtual Network Manager page in the Hyper-V Manager.
To enable VLAN ID for a virtual machine, access the properties of the virtual machine, and then select the virtual network adapter. Click to select the Enable virtual LAN identification check box to enable VLAN tagging and to specify an ID that you want the virtual machine connection to use. A virtual machine may have multiple network adapters, and all these adapters may use either the same or different VLAN IDs. Therefore, you must perform this action on each network adapter.
Consider drawing a diagram to discuss the different ways that VLANs can be used. Ensure that you show the network switch on the diagram to reinforce the concept that the VLANs must be configured on the network switch. Also emphasize that the network switch must be configured to use VLAN identifiers and not port based VLANs. 49

50. Configuring VLAN Tags Configure VLAN identifiers VM Properties
On internal and external virtual networks
On the network adapters attached to virtual machines
VM Properties
Virtual Network
VLAN Tags are used to improve security by isolated specific hosts on specific networks
Tags need to be configured on both the VM and host

51. Quality of Service (QoS) and Data Center Bridging (DCB)
10/9/2017 7:08 PM
Quality of Service (QoS) and Data Center Bridging (DCB)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52. Hyper-V QoS Maximum and minimum Management OS VM 1 VM n Live Migration
Phy NIC
Load-Balancing Failover (LBFO) Team NIC
Hyper-V virtual switch
VM 1
VM n
Management OS
Live Migration
Storage
Management
Target Use
Ensuring workloads have fair sharing, e.g. equal weights between VMs
Maximum and minimum

53. Minimum Bandwidth Modes
Absolute mode
Configure bandwidth directly in bits per second
Prohibits over-subscription
Requires careful planning
Weights mode
Configure weight relative to other flows
B/W percentage of flow = 𝑊𝑒𝑖𝑔ℎ𝑡 𝑜𝑓 𝑓𝑙𝑜𝑤 𝑆𝑢𝑚 𝑜𝑓 𝑤𝑒𝑖𝑔ℎ𝑡 𝑜𝑓 𝑎𝑙𝑙 𝑓𝑙𝑜𝑤𝑠 x 100
Automatically adjusted for transition between 1G and 10G

54. Default Flow Per Virtual Switch
Customers may group a number of VMs that each don’t have minimum bandwidth. They will be bucketized into a default flow which has minimum weight allocation. This is to prevent starvation.
VM1
VM2
Gold Tenant ? ? 10
Hyper-V Extensible Switch
1 Gbps

55. Maximum Bandwidth for Tenants
One common customer pain point is WAN links are expensive
Cap VM throughput to the Internet to avoid bill shock
Unified Remote Access Gateway
<100Mb ∞
Hyper-V Extensible Switch
Internet
Intranet

56. QoS (or DCB) in Network Adapter
Data center bridging is IEEE standards
Allow customers to manage bandwidth for traffic offloaded to network adapter
Support flow control* per specific type of traffic that is sensitive to packet loss
DCB is almost a commodity feature now as most IHVs support it in 10GbE
* Priority-based flow control must also be supported by a remote device (typically, a switch)

57. Data Center Bridging on Windows Server 2012
QoS
Application
Application
Application
PowerShell
WMI
Application
Winsock
File I/O API
Traffic Classification
Windows Network Stack
Windows Storage Stack
Up to 8 classes
DCB
LAN Miniport
iSCSI Miniport

58. Data Center Bridging on Windows Server 2012
QoS
Application
Application
Application
PowerShell
WMI
Application
Winsock
File I/O API
Traffic Classification
Windows Network Stack
Windows Storage Stack
Up to 8 classes
kRDMA
DCB
LAN Miniport

59. DHCP Guard
DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped
For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off
Set-VMNetworkAdapter
DHCPGuard allows you to specify whether DHCP server messages coming from a VM should be dropped. For VMs that are running an authorized instance of the DHCP server role, you can turn DHCPGuard off
Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard Off
Set-VMNetworkAdapter –VMName MyDhcpServer1 –DhcpGuard On

60. ARP/ND Poisoning Protection
Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs
Protection for both IPv4 and IPv6
ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing.
The Hyper-V Extensible Switch provides protection against a malicious virtual machine stealing IP addresses from other virtual machines through ARP spoofing (also known as ARP poisoning in IPv4). With this type of man-in-the-middle attack, a malicious virtual machine sends a fake ARP message, which associates its own MAC address to an IP address that it doesn’t own. Unsuspecting virtual machines send network traffic targeted to that IP address to the MAC address of the malicious virtual machine instead of the intended destination. For IPv6, Windows Server 2012 provides equivalent protection for ND spoofing.

61. 10/9/2017 7:08 PM
Diagnostics
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62. Events Tracing (ETW) Unified logging facility provided by the OS
10/9/2017
Events Tracing (ETW)
Unified logging facility provided by the OS
Provides holistic view of the system
High speed
1200 to 2000 cycles per logging event
Low overhead
Less than 5% of the total CPU cycles for 20,000 events/sec
Works for both user mode applications and drivers
Tracing sessions and event provider separated
Dynamically enabled or disabled
Designed to allow tracing of production code
Event Tracing for Windows (ETW) provides application programmers the ability to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63. Unified Tracing A new parameter is added to the Netsh Trace commands
10/9/2017
Unified Tracing
A new parameter is added to the Netsh Trace commands
The new Netsh Trace parameter, capturetype, can be used to capture
Physical computer traffic (traffic that originates or terminates on the physical computer)
Virtual machine traffic (traffic that originates or terminates on virtual machines)
Traffic that traverses the Hyper-V virtual switch
In Windows Server 2012, a new parameter is added to the Netsh Trace commands that are provided in Windows Server 2008 R2. The new parameter extends tracing capabilities and enables network administrators more efficiently capture network traffic, making the process of troubleshooting network issues more effective and efficient.
In Windows Server 2012, you can use the new Netsh Trace parameter, capturetype, to capture:
Physical computer traffic (traffic that originates or terminates on the physical computer)
Virtual machine traffic (traffic that originates or terminates on virtual machines)
Traffic that traverses the Hyper-V virtual switch
The combination of these new capabilities with the tracing capabilities that are provided in Windows Server 2008 R2 is known as Unified Tracing.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.