View
528
Download
4
Category
Tags:
Preview:
DESCRIPTION
Citation preview
MicrosoftVirtual Academy
Hyper-V Networking
Symon Perriman Jeff WoolseyTechnical Evangelist Principal Program Manager
MicrosoftVirtual Academy
First Half Second Half
(01) Introduction to Microsoft Virtualization
(05) Hyper-V Management
(02) Hyper-V Infrastructure (06) Hyper-V High Availability
and Live Migration
(03) Hyper-V Networking (07) Integration with System Center
2012 Virtual Machine Manager
(04) Hyper-V Storage(08) Integration with Other
System Center 2012 Components
** MEAL BREAK **
Introduction to Hyper-V Jump Start
MicrosoftVirtual Academy
• Virtual networks• Software Defined Networking• Hyper-V Extensible Switch• Network teaming• Guest Network Load Balancing
Agenda
Virtual Networks
Virtual Switch ArchitectureImplemented as an NDIS 6.0 MUX driverBinds to network adapters as a protocol driverCan enumerate a single-host interface
Basic layer-2 switch functionalityDynamically “learns” port to MAC mappingsImplements VLANsDoes not implement spanning treesDoes not implement layer 3
Configuring Virtual NetworksConfigured from Virtual Switch ManagerExternal networksVMs can communicate with other computers on the networkOnly 1 per physical NIC
Internal networks VMs can communicate with only other VMs on the same host, and with the host computer
Private networks VMs can communicate only with other VMs on the same host
Virtual Network Adapters Synthetic AdaptersNot based on a physical deviceDoesn’t support PXE bootSignificantly higher performance vs. emulatedDrivers provided for supported operating systemsWindows Server 2012 extensible switch
Legacy (Emulated) AdaptersEmulates a physical DEC21140 chipsetSupports PXE bootDrivers exist for most operating systems
Windows Server 2003 SP2Windows Server 2008Windows Server 2008 R2Windows Server 2012Linux (SLES 10, 11)RHEL 5.x/6.xCentOS 5.x/6.x
Windows XPWindows VistaWindows 7Windows 8OpenSUSEEtc.
Network ConsiderationsCustomers
• How do I ensure network multi-tenancy?
• IP Address Management is a pain.
• What if VMs are competing for bandwidth?
• Fully Leverage Network Fabric
• How do I integrate with existing fabric?
• Network Metering?• Can I dedicate a NIC
to a workload?
Hybrid Clouds
Windows Server 2012 is optimized for Hybrid Clouds to host multi-tenant workloads
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Reliability
Even when hardware fails …… customers want continuous availability
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM WorkloadsTEAMING
Predictability
Even when multiple VMs are competing for bandwidth …
… customers want predictability
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
15
25
$$
$$$$
Security
In a multi-tenant environment …… customers want security and isolation
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Multi-Tenant Network Requirements• Tenant wants to easily move VMs to/from
the cloud• Hoster wants to place VMs anywhere in
the data center• Both want: Easy Onboarding, Flexibility &
IsolationCloud Data Center
Woodgrove BankBlue 10.1.0.0/16
Contoso BankRed 10.1.0.0/16
One Solution: PVLAN
• Isolation Scenario• Hoster wants to isolate all VMs from each other and allow internet connectivity
• #1 Customer Ask from hosters
• Community Scenario• Hoster wants tenant VMs to interact with each other but not with other tenant VMs
• Requires a VLAN id for each “community” (limited scalability, only 4095 VLAN IDs)
u
Win 8 Host
Blue10.1.1.21
Red110.1.1.11
To Internet (10.1.1.1)
Hyper-V Switch
Red210.1.1.12
Green10.1.1.31
Isolated4, 7
Isolated4, 7
Community4, 9
Community4, 9
Software Defined Networking
Software Defined Networking (SDN)An SDN solution can accomplish several thingsCreate virtual networks that run on top of the physical networkControl traffic flow within the datacenterCreate integrated policies that span the physical and virtual networksOn a per-VM basis, configure security policies that limit the types of traffic (and destinations)
SDN: Network Virtualization
Physical network
Physicalserver
Woodgrove VM Contoso VM Woodgrove network Contoso network
Hyper-V Machine Virtualization• Run multiple virtual servers on a physical
server• Each VM has illusion it is running as a
physical server
Hyper-V Network Virtualization• Run multiple virtual networks on a physical network• Each virtual network has illusion it is running as a
physical fabric
Software Defined Networking (SDN)How network virtualization worksTwo IP addresses for each virtual machineGeneral Routing Encapsulation (GRE)IP address rewritePolicy management server
Problems solvedRemoves VLAN constraintsEliminates hierarchical IP address assignment for virtual machinesOn a per-VM basis, configure security policies that limit the types of traffic (and destinations)
Generic Routing Encapsulation (GRE)How GRE worksDefined by RFC 2784 and 2890One customer address per virtual machineOne provider address per hostTenant network IDMAC header
BenefitsLowers burden on switchesAllows traffic analysis, metering and controlEnable Live Migration across subnets
Extensibility
Customers want specialized functionality with lots of choice …
… for firewalls, monitoring and physical fabric integration
Tenant 2: Multiple VM Workloads
Data Center
Tenant 1: Multiple VM Workloads
Hyper-V Extensible Switch
Hyper-V Extensible Switch
PVLANS
ARP/ND Poisoning Protection
DHCP Guard Protection
Virtual Port ACLs
Trunk Modeto Virtual Machines
Monitoring & Port Mirroring
Windows PowerShell & WMI Management
The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools
Hyper-V Extensible Switch
Physical NIC
Root Partition
Extensible Switch
Extension Protocol
Extension Miniport
Host NICVM NIC
VM1
VM NIC
VM2 Capture extensions can inspect traffic and generate new traffic for report purposes
Capture extensions do not modify existing Extensible Switch traffic
Example: sflow by inMon
Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs
Windows Antivirus and Firewall software uses WFP for traffic filtering
Example: Virtual Firewall by 5NINE Software
Forwarding extensions direct traffic, defining the destination(s) of each packet
Forwarding extensions can capture and filter traffic
Examples:– Cisco Nexus 1000V and UCS– NEC ProgrammableFlow's vPFS OpenFlowCapture Extensions
(NDIS)
Windows Filter Platform (WFP)
Forwarding ExtensionsForwarding
Extensions (NDIS)
Filtering Engine
BFE Service Firewall
Callout
Feature Rich Networking in the Box• Open, Extensible Virtual
Switch• Nexus 1000 Support• Openflow Support• Network Introspection• Much more…
• Advanced Networking• ACLs• PVLAN• …much more…
• Windows NIC Teaming
• Network QoS• Per VNIC bandwidth reservation
& limits
• Network Metering
• DVMQ
• SR-IOV Network Support• Reduce Latency & CPU Utilization
• Supports Live Migration
Single-Root I/O Virtualization (SR-IOV)
• Reduces latency of network path
• Reduces CPU utilization for processing network traffic
• Increases throughput• Direct device assignment
to virtual machines without compromising flexibility
• Supports Live Migration
Network I/O path with SR-IOVNetwork I/O path without SR-IOV
Physical NIC
Root Partition
Hyper-V Switch
RoutingVLAN Filtering
Data Copy
Virtual Machine
Virtual NIC
SR-IOV Physical NIC
Virtual Function
VMBUS
Virtual MachineNetwork Stack
Software NIC
Enable IOV (VM NIC Property) Virtual Function is “Assigned” Team automatically created Traffic flows through VF
Turn On IOV Break Team Reassign Virtual Function
Assuming resources are available Migrate as normal
Live Migration Post Migration
Remove VF from VM
VM has connectivity even if
Switch not in IOV mode IOV physical NIC not
present Different NIC vendor Different NIC firmware
SR-IOV Enabling & Live Migration
SR-IOV Physical NICPhysical
NIC
Software Switch
(IOV Mode)
“TEAM”Software NIC
Virtual Function
SR-IOV Physical NIC
Software Switch
(IOV Mode)
“TEAM”
Virtual Function
Software path is not used
DVMQ vs. SR-IOV Considerations• DVMQ Pros:• Improves VM Performance
• Provides Receive Side Scaling benefits by spreading network load across multiple logical processors
• Can use the Hyper-V Extensible Switch
• DVMQ Cons:• If you need greater than 10 Gb/E for a
workload, SR-IOV is likely the better choice
• SR-IOV Pros:• Great performance• Great for low latency
workloads
• SR-IOV Cons:• Bypasses the virtual switch
Cloud Admins Want Scale, Customers PerfDVMQ, IPsec Task Offload, SR-IOV
IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter.
SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources.
Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.
Advanced Network SecurityDHCP Guard, Router Guard, Monitor Port
• DHCP Guard is a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers.
• Router Guard is a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers.
• Monitor Mode duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)
Manage to a Service Level AgreementNetwork Bandwidth & QoS
• Bandwidth Management allows you to easily reserve minimum or set maximums to provide QoS controls to manage to a service level agreement
Port MirroringProvided by the Hyper-V Extensible switch Administrator can run security and diagnostics applications in virtual machines that can monitor virtual machine network trafficPort mirroring also supports live migration of extension configurations
Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source
Network Teaming
Windows Server 2012 Network TeamingFailover teamingTypically two interfacesTypically connected to different switchesProvides redundancy for NIC card, cable, or switch failure
Aggregation/load balancing teamsTwo or more interfacesDivides network traffic between active interfaces by MAC/IP address or protocol Redundancy for NIC card or cable failure
Microsoft Supported
Port ACLA rule that you can apply to a Hyper-V switch port Can allow or deny packetsInbound or outbound controlACLs have three elements with the following structureLocal or Remote AddressDirectionAction
Add-VMNetworkAdapterAcl
PVLANSPVLAN addresses some of the scalability issues of VLANs Set as a switch port property PVLAN has two VLAN IDs: a primary VLAN ID and a secondary VLAN IDPVLAN may be in one of three modesIsolatedPromiscuousCommunity
Set-VMNetworkAdapterVlan
Trunk ModeHyper-V Virtual Switch provides support for VLAN Trunk modeProvides network services on a virtual machine with the ability to see traffic from multiple VLANSThe switch port receives traffic from all VLANs are in an allowed VLAN list
Set-VMNetworkAdapterVlan
Networking Performance
DynamicVMq
IPsec Task Offload
SR-IOV Support
The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines
Dynamically span multiple CPUs when processingvirtual machine network trafficOffload IPsec processing from within virtual machine,to physical network adaptor, enhancing performance
Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine
Network Load Balancing
VMs Using Network Load BalancingTo configure VMs in a Network Load Balancing (NLB) cluster, enable MAC address spoofingThis ensures the virtual switch will not learn MAC addresses, a requirement for NLB to function correctlyVMQ does not work with NLBNLB changes the virtual MAC addresses which prevents Hyper-V from dispatching the packets directly to the guest’s queue
Windows Server 2012 Networking: It’s All ThereFeature rich, extensible, in the box, no compromises
Windows Server 2008 Windows Server 2008 R2 Windows Server 2012
NIC Teaming Yes, via partners Yes, via partners Windows NIC Teaming in box.
VLAN Tagging Yes Yes Yes
MAC Spoofing Protection No Yes, with R2 SP1 Yes
ARP Spoofing Protection No Yes, with R2 SP1 Yes
SR-IOV Networking No No Yes
Network QoS No No Yes
Network Metering No No Yes
Network Monitor Modes No No Yes
IPsec Task Offload No No Yes
VM Trunk Mode No No Yes
TakeawaysHyper-V is fully integrated in the Windows network stackUse the synthetic network adapterUse VLAN tagging & firewall rules for securityWindows Server 2012 includes inbox NIC Teaming for load balancing and failoverVMQ provides great performance for most workloadsSR-IOV for low latency, high throughput workloads
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended