Wednesday, August 29, 2012

Explaining the Hyper-V Extensible Switch

In previous versions of Hyper-V, we referred to Virtual Networks instead of switches when we talked about what’s now called the Hyper-V Extensible Switch. This often led to confusion for customers and engineers when dealing with networking in Hyper-V, especially in the TechNet Forums.

A virtual network could either be Private, Internal or External.

The Private network would not bind to a physical NIC on the parent partition, and only let the virtual machines connected to this network communicate. Since there was no binding to a physical NIC, the virtual machines was unable to communicate with other virtual machines on other hosts.

The Internal network did not bind to a physical NIC either, but created  virtual NIC in the parent partition so that the virtual machines and the host itself was able to communicate.

The External network was the only type of network that would bind to a physical NIC in the parent, meaning that this was the proper type of virtual network if you wanted your virtual machines to be able to communicate over the physical network and have LAN/WAN access.

The three different types still exists in Windows Server 2012, but have been renamed to virtual switches.

There’s been done a lot with the extensible switch in Hyper-V and the switch itself is now extensible for third parties to integrate and develop tools and solutions that interacts with this switch.
A Hyper-V virtual switch is a virtual layer-2 network switch that provides programmatically managed and extensible capabilities to connect virtual machines to the physical network. This will led to better solutions related to security, isolation, SLA’s and policy enforcements in a virtual environment, and is much better suited for cloud computing scenarios.

Normally when we think of cloud computing scenarios, we would also think of tenant isolation, protection of malicious virtual machines and traffic control. The Hyper-V Extensible switch will cover it all.

There’s built-in support for NDIS (Network Device Interface Specification) filter drivers and WFP (Windows Filtering Platform) callout drivers. This makes it possible for ISV’s to create plug-ins to provide enhanced networking and security capabilities. This will give organizations more options to secure their tenants, traffic and measure networking for virtual machines.

Functionality in Hyper-V Extensible Switch

DHCP Guard protection: Will help you to protect against malicious virtual machines that presents themselves as DHCP servers. Often referred to man-in-the-middle attachs.

Network traffic monitoring: let the cloud administrators have control and review the traffic over the network switch.

Port ACLs: Traffic filtering based on MAC (Media Access Control) or IP (Internet Protocol) addresses/ranges so that the cloud administrator can set up virtual network isolation.

ARP/ND Spoofing protection: Gives protection against malicious VMs using ARP spoofing to steal other VMs IP addresses, and provides protection against attacks that can be launched for IPv6 using ND spoofing.

Trunk mode to a VM: Let the cloud administrator set up a specific VM as a virtual appliance to direct traffic from various VLANs to that VM.

Isolated VLAN (PVLAN): Let the cloud administrator segregate traffic on multiple VLANs so that they can easily establish isolated tenant communities.

Bandwidth limit and burst support: Reserve guaranteed amount of bandwidth. Bandwidth maximum caps the amount of bandwidth a VM can consume.

ENC marking support: Explicit Congestion Notification (ECN) marking—also known as Data CenterTCP (DCTCP)—enables the physical switch and operating system to regulate traffic flow such that the buffer resources of the switch are not flooded, which results in increased traffic throughput.
Diagnostics: Let the cloud administrator easily trace and monitor events and packets through the virtual switch.

This will for sure ensure that you can meet the demand of cloud computing in the networking space as well, in conjunction with network virtualization.

There will be more blogging about switch extensions and network virtualization when SC VMM 2012 SP1 is available.

No comments: