Hyper-V Networking

Aidan Finn

About Aidan Finn

• Technical Sales Lead at MicroWarehouse (Dublin)

• Working in IT since 1996

• MVP (Virtual Machine)

• Experienced with Windows Server/Desktop, System Center,

virtualisation, and IT infrastructure

• @joe_elway

• http://www.aidanfinn.com

• http://www.petri.co.il/author/aidan-finn

• Published author/contributor of several books

Books

System Center

2012 VMM

Windows Server

2012 Hyper-V

Networking Basics

Hyper-V Networking Basics

6

Management OS Virtual Machines

VLAN Trunk

VLAN ID = 101 VLAN ID = 102

Virtual NICs

• Generation 1 VMs can have:

– (Synthetic) network adapter

• Requires drivers (Hyper-V integration

components/services)

• Does not do PXE boot

• Best performance

– Legacy network adapter

• Emulated - does not require Hyper-V drivers

• Does offer PXE

• Bad performance

• Generation 2 VMs have synthetic network adapters with PXE

7

Hyper-V Extensible

Switch

• Replaces Virtual

Network

• Handles network traffic

between:

–Virtual machines

– The physical network

– The management OS

• Layer-2 virtual interface

• Programmatically

managed

• Extensible 8

NIC = network

adapter

Hyper-V Extensible Switch

Virtual Switch Types

• External:

– Allow VMs to talk to each other physical network and host

– Normally used

• Internal

– Allow VMs to talk to each other and host

– VMs cannot communicate to VMs on another host

– Normally only ever seen in a lab

• Private

– Allow VMs to talk to each other

– VMs cannot communicate to VMs on another host

– Sometimes seen but replaced by Hyper-V network

virtualization or VLANs

9

Extension Types

• Capturing

• Monitoring

• Example: InMon sFlow

• Filtering

• Packet monitoring/security

• Example: 5nine Security

• Forwarding

• Does all the above & more

• Example: Cisco Nexus

1000V

Switch Extensibility

NIC Teaming

• Provides load balancing and failover (LBFO)

• Load balancing:

– Spread traffic across multiple physical NICs.

– This provides link aggregation – not necessarily a

single virtual “pipe”.

• Failover:

– If one physical path (NIC or top-of-rack switch) fails

then traffic automatically moved to another NIC in the

team.

• Built-in and fully supported for Hyper-V and

Failover Clustering since WS2012

NIC Teaming

• Microsoft supported – no more calls to NIC

vendors for teaming support or getting told to turn

off teaming

• Vendor agnostic – can mix NIC manufacturers in

a single team

• Up to:

– 32 NICs at same speed in physical machines

– 2 virtual NICs at same speed in a VM

• Configure teams to meet server needs

• Team management is easy!

– Server Manger, LBFOADMIN.EXE, VMM, or

PowerShell

NIC Teaming Features

Team

members

--or--

Network

Adapters

Team

Team

Interfaces,

Team NICs, or

tNICs

Terminology

• Switch Independent mode

– Doesn’t require any configuration of a

switch

– Protects against adjacent switch

failures

– Allows Standby NIC

• Switch dependent modes

1. Static Teaming

• Configured on switch

2. LACP Teaming

• Also known as IEEE 802.1ax or 802.3ad

– Requires configuration of the

adjacent switch

Switch

dependent

team

Switch

independent

team

Connection Modes

1. Address Hash – comes in 3 flavors

– 4-tuple hash: (Default distribution mode) uses the RSS hash if

available, otherwise hashes the TCP/UDP ports and the IP

addresses. If ports not available, uses 2-tuple instead.

– 2-tuple hash: hashes the IP addresses. If not IP traffic uses MAC-

address hash instead.

– MAC address hash: hashes the MAC addresses.

2. Hyper-V port

– Hashes the port number on the Hyper-V switch that the traffic is

coming from. Normally this equates to per-VM traffic. Best if

using DVMQ.

3. Dynamic (Added in WS2012 R2)

– Spread a single stream of data across team members using

“flowlets”. The default option in WS2012 R2.

Load Distribution Modes

• Choose the team connection

mode that is required by your

switches

• Choose either Hyper-V Port or

Dynamic (WS2012 R2) load

distribution

– Hyper-V Port provides

predictable incoming paths and

DVMQ acceleration.

– Dynamic enables a single virtual

NIC to spread traffic across

multiple team members at once.

NIC Teaming – Virtual Switch

NIC Team

• Choose the team connection

mode that is required by your

switches

• Choose either Address Hash

or Dynamic load distribution

– Address Hash will isolate a

single stream of traffic on one

physical NIC.

– Dynamic enables a since virtual

NIC to spread traffic across

multiple team members at once.

NIC Teaming – Physical NICs

NIC Team

Netw

orking Stack

• Can be configured in guest

OS of a WS2012 or later VM.

• Teams the VM’s virtual NICs.

• Configuration is locked.

• You must allow NIC teaming

in the advanced properties of

the virtual NIC in the VM

settings.

• Set-VMNetworkAdapter VM01–AllowTeaming On/Off

NIC Teaming – Virtual Machines

Virtual Machine NIC Team

Demo: NIC Teaming

Hardware Offloads

Core 2 Core 3 Core 4 Core 5 Core 6Core 1

Management OS

Virtual Machine NIC Team

Management

Live Migratio

n

Clu

ster

SMB

3.0

Backu

p

rNIC1 rNIC2

0 1 2 3 4 5 6 7 8 9 10 11

CPU 0

Core 8 Core 9 Core 10 Core 11 Core 12Core 7

12 13 14 15 16 17 18 19 20 21 22 23

CPU 1Processors (Hyperthreading) {

Cores {

Logical Processors {

RSS100% utilized

Core 2 Core 3 Core 4 Core 5 Core 6Core 1

Management OS

Virtual Machine NIC Team

Management

Live Migratio

n

Clu

ster

SMB

3.0

Backu

p

rNIC1 rNIC2

0 1 2 3 4 5 6 7 8 9 10 11

CPU 0

Core 8 Core 9 Core 10 Core 11 Core 12Core 7

12 13 14 15 16 17 18 19 20 21 22 23

CPU 1Processors (Hyperthreading) {

Cores {

Logical Processors {

DVMQ100% utilized

RSS and DVMQ• Consult your network card/server

manufacturer

• Can use Get- Set-

NetAdapterRSS to configure.

• Don’t change anything unless

you need to

• RSS and DVMQ are

incompatible on the same NIC

so design hosts accordingly

vRSS• Added in WS2012 R2

• RSS provides extra processing capacity for inbound traffic to a

physical server

– Using cores beyond Core 0.

• vRSS does the same thing in the guest OS of a VMM

– Using additional virtual processors.

• Allows inbound networking to VMM to scale out.

• Obviously requires VMs with additional virtual processors.

• The physical NICs used by the virtual switch must support DVMQ.

• Enable RSS in the advanced NIC properties in the VM’s guest OS

Management OS

Virtual Machine NIC Team

Management

Live Migratio

n

Clu

ster

SMB

3.0

Backu

p

rNIC1 rNIC2

CPU 0 CPU 1 CPU 2 CPU 3 CPU 4 CPU 5 CPU 6 CPU 7

vRSS100% utilized

Demo: vRSS

Single-Root I/O (SR-IOV)• Virtual function on capable NIC presented directly to VM

• Bypasses user mode in Management OS

– Network stack

– Virtual Switch (logical connection present)

– Cannot team NICs in Management OS – can team NICs in VM

• Super low latency virtual networking, less h/w usage

• Requires SR-IOV ready:

– Motherboard

– BIOS

– NIC

– Windows Server 2012/Hyper-V Server 2012 (or later) host

• Can Live Migrate to/from capable/incapable hosts

Host

Network I/O path without SRIOV Network I/O path with SRIOV

Root Partition

Hyper-V Switch

Physical

NIC

Virtual

Machine

Virtual NIC

Routing

VLAN Filtering

Data Copy

Host

Root Partition

Hyper-V Switch

SR-IOV Physical NIC

Virtual

Machine

Virtual

Function

Routing

VLAN Filtering

Data Copy

SR-IOV Illustrated

Implementing SR-IOV• All management OS

networking features are bypassed

• You must create SR-IOV virtual switches to begin with:– New-VMSwitch IOVSwitch1 -

NetAdapterName pNIC1 –EnableIOV $True

• Install Virtual Function driver in guest OS

• To get teaming:– Create 2 virtual switches

– Enable guest OS teaming in vNICadvanced settings

– Team in the guest OS

NIC Team

SR-IOV Enabled Virtual Switch 1

SR-IOV Enabled Virtual Switch 2

Virtual NIC 1 Virtual NIC 2

Physical NIC 1 Physical NIC 2

The Real World: SR-IOV• Not cloud or admin friendly:

– Requires customization in the guest OS

– How many hosting or end users can you trust with admin rights

over in-guest NIC teams?

• In reality:

– SR-IOV is intended for huge hosts or few VMs with low latency

requirements

– You might never implement SR-IOV outside of a lab

IPsec Task Offload (IPSecTO)• IPsec encrypts/decrypts traffic between a client and server.

• Done automatically based on some rule.

• Can be implemented by a tenant independently of the cloud

administrators

• It uses processor resources – in a cloud this could have a significant

impact.

• Using IPSecOffloadV2 enabled NICs, Hyper-V can offload IPsec

processing from VMs to the host’s NIC(s).

Consistent Device Naming (CDN)• Every Windows admin hates “Local Area Connection, “Local Area

Connection 2”, etc.

– Network devices randomly named based on order of PNP

discovery

• Modern servers (Dell 12th gen, HP Gen8) can store network port

device names

• WS2012 and later can detect these names

• Uses device name to name network connections:

– Port 1

– Port 2

– Slot 1 1

– Slot 1 1

Converging Networks• Not a new concept from hardware vendors

• Introduces as a software solution in WS2012

• Will cover this topic in the High Availability session

SMB 3.0• No longer just a file & print protocol

• Learn more in the SMB 3.0 and Scale-Out File Server session

Thank You!

Aidan Finn

@joe_elway

www.aidanfinn.com

Petri IT Knowledgebase