Microsoft Virtual Academy

Microsoft Virtual Academy First HalfSecond Half (01) Introduction to Microsoft Virtualization(05) Hyper-V Management (02) Hyper-V Infrastructure (06) Hyper-V High Availability and Live Migration (03) Hyper-V Networking (07) Integration with System Center 2012 Virtual Machine Manager (04) Hyper-V Storage (08) Integration with Other System Center 2012 Components ** MEAL BREAK **

Microsoft Virtual Academy

Windows Server 2003 SP2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Linux (SLES 10, 11) RHEL 5.x/6.x CentOS 5.x/6.x Windows XP Windows Vista Windows 7 Windows 8 OpenSUSE Etc.

How do I ensure network multi-tenancy? IP Address Management is a pain. What if VMs are competing for bandwidth? Fully Leverage Network Fabric How do I integrate with existing fabric? Network Metering? Can I dedicate a NIC to a workload?

Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads

Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads TEAMING

Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads $$ $$$$

Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads

Cloud Data Center Woodgrove Bank Blue /16 Contoso Bank Red /16

u Win 8 Host Blue Red To Internet ( ) Hyper-V Switch Red Green Isolated 4, 7 Isolated Community 4, 9 Community

Physical network Physical server Woodgrove VMContoso VM Woodgrove networkContoso network Hyper-V Machine Virtualization Run multiple virtual servers on a physical server Each VM has illusion it is running as a physical server Hyper-V Network Virtualization Run multiple virtual networks on a physical network Each virtual network has illusion it is running as a physical fabric

Tenant 2: Multiple VM Workloads Data Center Tenant 1: Multiple VM Workloads

Hyper-V Extensible Switch PVLANS ARP/ND Poisoning Protection DHCP Guard Protection Virtual Port ACLs Trunk Mode to Virtual Machines Monitoring & Port Mirroring Windows PowerShell & WMI Management The Hyper-V Extensible Switch allows a deeper integration with customers’ existing network infrastructure, monitoring, and security tools

Physical NIC Root Partition Extensible Switch Extension Protocol Extension Miniport Host NIC VM NIC VM1 VM NIC VM2  Capture extensions can inspect traffic and generate new traffic for report purposes  Capture extensions do not modify existing Extensible Switch traffic  Example: sflow by inMon  Windows Filter Platform (WFP) Extensions can inspect, drop, modify, and insert packets using WFP APIs  Windows Antivirus and Firewall software uses WFP for traffic filtering  Example: Virtual Firewall by 5NINE Software  Forwarding extensions direct traffic, defining the destination(s) of each packet  Forwarding extensions can capture and filter traffic  Examples: – Cisco Nexus 1000V and UCS – NEC ProgrammableFlow's vPFS OpenFlow Capture Extensions (NDIS) Windows Filter Platform (WFP) Forwarding Extensions Forwarding Extensions (NDIS) Filtering Engine BFE Service Firewall Callout

Open, Extensible Virtual Switch Nexus 1000 Support Openflow Support Network Introspection Much more… Advanced Networking ACLs PVLAN …much more… Windows NIC Teaming Network QoS Per VNIC bandwidth reservation & limits Network Metering DVMQ SR-IOV Network Support Reduce Latency & CPU Utilization Supports Live Migration

Network I/O path with SR-IOVNetwork I/O path without SR-IOV Physical NIC Root Partition Hyper-V Switch Routing VLAN Filtering Data Copy Routing VLAN Filtering Data Copy Virtual Machine Virtual NIC SR-IOV Physical NIC Virtual Function

Virtual Machine Network Stack Software NIC  Enable IOV (VM NIC Property)  Virtual Function is “Assigned”  Team automatically created  Traffic flows through VF Turn On IOV  Break Team  Reassign Virtual Function  Assuming resources are available  Migrate as normal Live MigrationPost Migration  Remove VF from VM VM has connectivity even if  Switch not in IOV mode  IOV physical NIC not present  Different NIC vendor  Different NIC firmware SR-IOV Enabling & Live Migration SR-IOV Physical NIC Physical NIC Software Switch (IOV Mode) “TEAM” Software NIC Virtual Function SR-IOV Physical NIC Software Switch (IOV Mode) “TEAM” Virtual Function  Software path is not used

IPsec Task Offload: Microsoft expects deployment of Internet Protocol security (IPsec) to increase significantly in the coming years. The large demands placed on the CPU by the IPsec integrity and encryption algorithms can reduce the performance of your network connections. IPsec Task Offload is a technology built into the Windows operating system that moves this workload from the main computer's CPU to a dedicated processor on the network adapter. SR-IOV is a specification that allows a PCIe device to appear to be multiple separate physical PCIe devices. The SR-IOV specification was created and is maintained by the PCI SIG, with the idea that a standard specification will help promote interoperability. SR-IOV works by introducing the idea of physical functions (PFs) and virtual functions (VFs). Physical functions (PFs) are full-featured PCIe functions; virtual functions (VFs) are “lightweight” functions that lack configuration resources. Dynamic Virtual Machine Queue (VMQ) dVMQ uses hardware packet filtering to deliver packet data from an external virtual machine network directly to virtual machines, which reduces the overhead of routing packets and copying them from the management operating system to the virtual machine.

Set-VMNetworkAdapter –VMName MyVM –PortMirroring Source

Add-VMNetworkAdapterAcl

Set-VMNetworkAdapterVlan

Networking Performance Dynamic VMq IPsec Task Offload SR-IOV Support The Hyper-V Extensible Switch takes advantage of hardware innovation to drive the highest levels of networking performance within virtual machines Dynamically span multiple CPUs when processing virtual machine network traffic Offload IPsec processing from within virtual machine, to physical network adaptor, enhancing performance Map virtual function of an SR-IOV-capable physical network adaptor, directly to a virtual machine

Windows Server 2008Windows Server 2008 R2Windows Server 2012 NIC TeamingYes, via partners Windows NIC Teaming in box. VLAN TaggingYes MAC Spoofing ProtectionNoYes, with R2 SP1Yes ARP Spoofing ProtectionNoYes, with R2 SP1Yes SR-IOV NetworkingNo Yes Network QoSNo Yes Network MeteringNo Yes Network Monitor ModesNo Yes IPsec Task OffloadNo Yes VM Trunk ModeNo Yes

Hyper-V is fully integrated in the Windows network stack Use the synthetic network adapter Use VLAN tagging & firewall rules for security Windows Server 2012 includes inbox NIC Teaming for load balancing and failover VMQ provides great performance for most workloads SR-IOV for low latency, high throughput workloads

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Virtual Network VM Properties

Phy NIC Load-Balancing Failover (LBFO) Team NIC Hyper-V virtual switch VM 1 VM n Management OS Live Migration Storage Management Target Use Ensuring workloads have fair sharing, e.g. equal weights between VMs

VM2 Hyper-V Extensible Switch VM1 Gold Tenant Customers may group a number of VMs that each don’t have minimum bandwidth. They will be bucketized into a default flow which has minimum weight allocation. This is to prevent starvation. ??10 1 Gbps

Hyper-V Extensible Switch Unified Remote Access Gateway <100Mb One common customer pain point is WAN links are expensive Cap VM throughput to the Internet to avoid bill shock ∞ Internet Intranet

Windows Server 2012 QoS DCB Traffic Classification Windows Network Stack Windows Storage Stack Winsock File I/O API PowerShell WMI PowerShell WMI Up to 8 classes LAN Miniport iSCSI Miniport

LAN Miniport Windows Network Stack Windows Storage Stack Winsock File I/O API Windows Server 2012 QoS DCB Traffic Classification PowerShell WMI PowerShell WMI Up to 8 classes kRDMA

Set-VMNetworkAdapter

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.