 |
|
Content Owner: Roman Macek | ||||
Summary
Yes (Hyper-V Virtual Switch); Extended Port ACLs, vRSS, DLB - Switch Embedded Teaming - Network Controller
Details
(no major updates with WS2019)Arguable the biggest improvements to virtualization and cloud environments with Server 2012 have come with the addition of the Hyper-V Extensible Switch (Hyper-V as well as free Hyper-V Server).
Its essentially an Ethernet switch that runs in the management operating system of the Hyper-V parent partition and allows to connect virtual machines to both virtual networks and the physical network. In addition, the Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels.
The Hyper-V Virtual Switch enables ISVs to create extensible plug-ins (Virtual Switch Extensions) that can provide enhanced networking and security capabilities. Management of the Hyper-V extensible switch, including deployment and configuration of virtual switch extensions using a new logical switch concept can be done through VMM 2012 (min SP1).
Note: The Extensible Switch is strictly speaking not a natively distributed switch (i.e. there are individual switch instances on each host). However, using the Virtual Switch Extensions Hyper-V can provide more advanced and fully distributed virtual switches (e.g. using Ciscos 1000v) but these are typically fee-based.
New with WS 2012 R2 are the following enhancements:
1. Extended Port ACLs (configure ACLs to provide firewall protection and enforce security policies for the tenant VMs in their datacenters)
- In Windows Server 2012, you were able to specify both source and destination MAC and IP addresses for IPv4 and IPv6. For Windows Server 2012 R2 you can also specify the port number when you create rules
- Stateful rules that are unidirectional and provide a timeout parameter (after the rule is utilized successfully one time, the two traffic flows are allowed without having to be looked up against the rule again for a period of time that you designate using the timeout attribute)
2. Dynamic Load Balancing (DLB) of traffic types (WS 2012 provided simultaneous load distribution and failover, but did not ensure load distribution between the NICs in a NIC team in a balanced manner - in WS 2012 R2, dynamic load balancing continuously and automatically moves traffic streams from NIC to NIC within the NIC team to share the traffic load as equitably as possible).
3. Hyper-V Network Virtualization coexists with third party forwarding extensions
When you have a third party forwarding extension installed, Hyper-V Virtual Switch now performs hybrid forwarding. With hybrid forwarding, network traffic that is NVGRE encapsulated is forwarded by the HNV module within the switch, while all non-NVGRE network traffic is forwarded by the third party forwarding extensions that you have installed.
In addition to forwarding, a third party forwarding extension can still apply other policies, such as ACLs and QoS, to both the NVGRE and the non NVGRE-encapsulated traffic. The forwarding extension that you install must be able to process both types of network traffic based on their intended destinations. The policies and capabilities of the Hyper-V Virtual Switch and third party extensions do not displace each other – instead, they are mutually available.
4. Reduced bottle-necks with vRSS
In WS 2012 Receive Side Scaling (RSS spreads the processing across multiple cores on the host and multiple cores on the VM) over SR-IOV was supported; now in Windows Server 2012 R2, virtual RSS (vRSS) is supported on the VM network path, allowing VMs to sustain a greater networking traffic load. To take advantage of vRSS, VMs must be configured to use multiple cores, and they must support RSS. vRSS is enabled automatically when the VM uses RSS on the VM network path.
Other key features of the Hyper-V Virtual Switch:
Multi-tenancy - through the Extensible Switch, Server 2012 provides now the isolation and security capabilities required for multi-tenancy by offering:
- Multitenant virtual machine isolation through PVLANs
- Protection from Address Resolution Protocol/Neighbour Discovery (ARP/ND) poisoning (also called spoofing)
- Protection against DHCP snooping and DHCP Guard
- Virtual port ACLs
- The capability to trunk traditional VLANs to virtual machines
- Monitoring Windows PowerShell/Windows Management Instrumentation (WMI)
The Hyper-V Extensible Switch can be configured as:
- External (ports that connect to a single external NIC as well as one or more virtual NICs in vims)
- Internal (allowing communication between parent and child partitions, i.e. host and guests)
- Private (communication between child partitions only)
Details here: http://bit.ly/Ue8K0u
In Windows Server 2016, Microsoft has improved the virtual switch because it manages now the teaming. It is not necessary anymore to create teaming and then create the virtual switch on top. This is called Switch Embedded Teaming. Thanks to SET, we can now enable RDMA, vRSS on virtual NIC located in the hyperviseur (parent partition). This enables to converge everything on two network adapters (Storage, Live-Migration, Management, Heartbeat and so on). https://blogs.technet.microsoft.com/wsnetdoc/2015/09/01/switch-embedded-teaming-network-adapter-teaming-within-hyper-v-virtual-switch/
Moreover Microsoft has improved the Software-Defined Networking layer. The all layer can be managed accross the Network Controller. Network Controller provides API to manage all the network devices (virtual switches, software load balancer and so on). The network controller can be managed accross System Center Virtual Machine Manager. The Network Controller requires Windows Server 2016 Datacenter edition
In WIndows Server 2016, the SDN layer supports VXLAN
Its essentially an Ethernet switch that runs in the management operating system of the Hyper-V parent partition and allows to connect virtual machines to both virtual networks and the physical network. In addition, the Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels.
The Hyper-V Virtual Switch enables ISVs to create extensible plug-ins (Virtual Switch Extensions) that can provide enhanced networking and security capabilities. Management of the Hyper-V extensible switch, including deployment and configuration of virtual switch extensions using a new logical switch concept can be done through VMM 2012 (min SP1).
Note: The Extensible Switch is strictly speaking not a natively distributed switch (i.e. there are individual switch instances on each host). However, using the Virtual Switch Extensions Hyper-V can provide more advanced and fully distributed virtual switches (e.g. using Ciscos 1000v) but these are typically fee-based.
New with WS 2012 R2 are the following enhancements:
1. Extended Port ACLs (configure ACLs to provide firewall protection and enforce security policies for the tenant VMs in their datacenters)
- In Windows Server 2012, you were able to specify both source and destination MAC and IP addresses for IPv4 and IPv6. For Windows Server 2012 R2 you can also specify the port number when you create rules
- Stateful rules that are unidirectional and provide a timeout parameter (after the rule is utilized successfully one time, the two traffic flows are allowed without having to be looked up against the rule again for a period of time that you designate using the timeout attribute)
2. Dynamic Load Balancing (DLB) of traffic types (WS 2012 provided simultaneous load distribution and failover, but did not ensure load distribution between the NICs in a NIC team in a balanced manner - in WS 2012 R2, dynamic load balancing continuously and automatically moves traffic streams from NIC to NIC within the NIC team to share the traffic load as equitably as possible).
3. Hyper-V Network Virtualization coexists with third party forwarding extensions
When you have a third party forwarding extension installed, Hyper-V Virtual Switch now performs hybrid forwarding. With hybrid forwarding, network traffic that is NVGRE encapsulated is forwarded by the HNV module within the switch, while all non-NVGRE network traffic is forwarded by the third party forwarding extensions that you have installed.
In addition to forwarding, a third party forwarding extension can still apply other policies, such as ACLs and QoS, to both the NVGRE and the non NVGRE-encapsulated traffic. The forwarding extension that you install must be able to process both types of network traffic based on their intended destinations. The policies and capabilities of the Hyper-V Virtual Switch and third party extensions do not displace each other – instead, they are mutually available.
4. Reduced bottle-necks with vRSS
In WS 2012 Receive Side Scaling (RSS spreads the processing across multiple cores on the host and multiple cores on the VM) over SR-IOV was supported; now in Windows Server 2012 R2, virtual RSS (vRSS) is supported on the VM network path, allowing VMs to sustain a greater networking traffic load. To take advantage of vRSS, VMs must be configured to use multiple cores, and they must support RSS. vRSS is enabled automatically when the VM uses RSS on the VM network path.
Other key features of the Hyper-V Virtual Switch:
Multi-tenancy - through the Extensible Switch, Server 2012 provides now the isolation and security capabilities required for multi-tenancy by offering:
- Multitenant virtual machine isolation through PVLANs
- Protection from Address Resolution Protocol/Neighbour Discovery (ARP/ND) poisoning (also called spoofing)
- Protection against DHCP snooping and DHCP Guard
- Virtual port ACLs
- The capability to trunk traditional VLANs to virtual machines
- Monitoring Windows PowerShell/Windows Management Instrumentation (WMI)
The Hyper-V Extensible Switch can be configured as:
- External (ports that connect to a single external NIC as well as one or more virtual NICs in vims)
- Internal (allowing communication between parent and child partitions, i.e. host and guests)
- Private (communication between child partitions only)
Details here: http://bit.ly/Ue8K0u
In Windows Server 2016, Microsoft has improved the virtual switch because it manages now the teaming. It is not necessary anymore to create teaming and then create the virtual switch on top. This is called Switch Embedded Teaming. Thanks to SET, we can now enable RDMA, vRSS on virtual NIC located in the hyperviseur (parent partition). This enables to converge everything on two network adapters (Storage, Live-Migration, Management, Heartbeat and so on). https://blogs.technet.microsoft.com/wsnetdoc/2015/09/01/switch-embedded-teaming-network-adapter-teaming-within-hyper-v-virtual-switch/
Moreover Microsoft has improved the Software-Defined Networking layer. The all layer can be managed accross the Network Controller. Network Controller provides API to manage all the network devices (virtual switches, software load balancer and so on). The network controller can be managed accross System Center Virtual Machine Manager. The Network Controller requires Windows Server 2016 Datacenter edition
In WIndows Server 2016, the SDN layer supports VXLAN
