ms network virtualization
DESCRIPTION
NetworkTRANSCRIPT
VIRTu Alley Online Symposium Your pathway to keeping up with the ever-growing virtualization industry January 15 and 16, 2013
DAMIAN FLYNN CLOUD & DATACENTER MVPOnline Symposium Microsoft Network Virtualization with Hyper-V
Microsoft Network Virtualization
Hyper-V extensible switch is a virtual Ethernet switch that runs in the management operating system of the Hyper-V parent partition. Through the use of extensions, independent software vendors (ISVs) can extend the switch functionality. “In-The-Box” Microsoft has supplied an extension for “Network Virtualization”. In this presentation we will introduce the concept of “Encapsulated Network Virtualization”; additionally using PowerShell we will learn how to correctly enable the extension, and establish a virtual network in a sample 2 host environment.
Objective
Manageability • Windows PowerShell Provider • Unified tracing, capture and diagnostics
Extensible Virtual Switch
Benefits • SR-IOV • Dynamic VMQ • QoS: bandwidth limit and reservations • Port ACL:
• per MAC/IPv4/IPv6 • rule Allow/Deny/Meter
• ARP Poisoning / ND protection • Router & DHCP Guard • Port Mirroring • IPsec Offloads
Extensibility • Extension monitoring • Extension coexistence
Extensible Switch Partners • Security Manager • Nexus 1000v • Univerge PF1000 • SFlow… • Phantom Virtualization Tap
Common solution • VLAN per tenant
• Does NOT scale (only 4095 VLAN Limit) • Management complexity grows with scale
Isolation Solutions
VLAN TAG’s
HOST 1 HOST 2 HOST 3
VLAN TAG’s
HOST 1 HOST 2 HOST 3
VLAN TAG’s
HOST 1 HOST 2 HOST 3
Common solution • VLAN per tenant
• Does NOT scale (only 4095 VLAN Limit)
New with Hyper-V 2012 • Private VLAN (PVLAN)
• Tenants with single VMs, or Groups of VMs • Network Virtualization
• Removes dependency on VLANs
Illustration – VLAN Scale Book - Hyper-V 2012 Configuration and Installation
Isolation • All VMs isolated from each other • All VMs may have internet access • Perfect for 1 Off VMs Community • Groups Tenant VMs together • Isolated from other tenants • All VMs may have internet access • Utilizes VLAN id per Community
New Offering: PVLAN
Illustration – PVLAN Relationships Book - Hyper-V 2012 Configuration and Installation
Network Virtualization • Run multiple virtual networks on a physical network • Each virtual network has the illusion that it is running physically
New Offering: Network Virtualization
HOST 1 HOST 2
BLUE1192.168.1.11
BLUE2192.168.1.12
BLUE3192.168.1.13
HOST 1 HOST 2
BLUE1192.168.1.11
BLUE2192.168.1.12
BLUE3192.168.1.13
RED1192.168.1.11
RED2192.168.1.12
RED3192.168.1.13
Any Service, Any Server, Any Cloud • Decouple tenants infrastructure from physical infrastructure • Policy based, Software defined networking
Segregation of Duties • Network administration decoupled, to focus on capacity and performance • VM placement possible, independent of network topology Scalable Layer 3 Virtual Networking • Reduction of Complexity and Cost for Network infrastructure • Scalable design • New Industry Standard
• Cisco and F5 publicly announced support for “NVGRE”
Network Virtualization: Why?
Network Virtualization • Virtualize the VMs IP address!... Each VM uses 2 IP addresses… • IP Address visible within the VM
• Referred to as Customer Addresses (CA) • May overlap between Customers
• IP Address visible on the physical network • Referred to as Provider Addresses (PA)
• Addresses may be IPv4 or IPv6
Network Virtualization: How?
Bring Your Own Address • Encapsulate the VM IP address (CA) into the Hosts IP address (PA) • GRE permits a single Host IP Address to encapsulate all its VMs addresses • Tennant Identifier stored in the GRE packet to retain isolation
Network Virtualization: Encapsulation
HOST 1 HOST 2
BLUE1192.168.1.11
BLUE2192.168.1.12
BLUE3192.168.1.13
BLUE1 192.168.1.11 BLUE1 10.1.1.10BLUE2 192.168.1.12 BLUE1 10.1.1.10
BLUE3 192.168.1.13 BLUE3 10.1.1.11
BLUE1 192.168.1.11 BLUE1 10.1.1.10BLUE2 192.168.1.12 BLUE1 10.1.1.10
BLUE3 192.168.1.13 BLUE3 10.1.1.11
Host 1 Address Table CA PA Host 2 Address Table CA PA
HOST 1 HOST 2
BLUE1192.168.1.11
BLUE2192.168.1.12
BLUE3192.168.1.13
RED1192.168.1.11
RED2192.168.1.12
RED3192.168.1.13
BLUE1 192.168.1.11 BLUE1 10.1.1.10BLUE2 192.168.1.12 BLUE1 10.1.1.10RED1 192.168.1.11 RED1 10.1.1.10
BLUE3 192.168.1.13 BLUE3 10.1.1.11RED2 192.168.1.12 RED2 10.1.1.11RED3 192.168.1.13 RED3 10.1.1.11BLUE1 192.168.1.11 BLUE1 10.1.1.10BLUE2 192.168.1.12 BLUE1 10.1.1.10RED1 192.168.1.11 RED1 10.1.1.10
BLUE3 192.168.1.13 BLUE3 10.1.1.11RED2 192.168.1.12 RED2 10.1.1.11RED3 192.168.1.13 RED3 10.1.1.11
Host 1 Address Table CA PA Host 2 Address Table CA PA
HOST 1 HOST 2
BLUE1192.168.1.11
BLUE2192.168.1.12
BLUE3192.168.1.13
RED1192.168.1.11
RED2192.168.1.12
RED3192.168.1.13
GRE Encapsulation GRE Payload
45014501 45014601 4601 4601
To HOST2 From: HOST1,
VSID, MAC
ToBLUE3
FromBLUE1
HOST2 : HOST1 : VSID : MAC BLUE3 : BLUE1
Network Virtualization: Extensible Switch
LBFO
Management
Live Migration
Cluster
Storage Hos
t Net
wor
k St
ack
vmSwitch
Network Virtualization
LBFO
CA
PA
Lookup Tables Network
Virtualization
Enable Network Virtualization on our Extensible Switch • Determine the vSwitch • Then enable the MS_NETMNV filter (Network Virtualization extension)
Network Virtualization - Step 1
$vSwitch = Get-VMSwitch -Name "Microsoft Network Adapter Multiplexor Driver - Virtual Switch" Enable-NetAdapterBinding -InterfaceDescription $vSwitch.NetAdapterInterfaceDescription -ComponentID "ms_netwnv"
Stop VMs; Assign a Static MAC, and a Subnet ID (CA Creation) • Static MAC is used as a Static Identifier for the VM • Isolation is assigned using Virtual Subnet ID • Don’t forget to reset the VMs IP as we are now isolated!
Network Virtualization - Step 2
Stop-VM Blue* (1..3) | % { Set-VMNetworkAdapter -StaticMacAddress "00450100000$_" -VMName blue$_} (1..3) | % { Get-VMNetworkAdapter -VMName blue$_ } Start-VM Blue* Get-VMNetworkAdapter BLUE* | Set-VMNetworkAdapter -VirtualSubnetId 4501 Stop-VM Red* (1..3) | % { Set-VMNetworkAdapter -StaticMacAddress "00460100000$_" -VMName Red$ } (1..3) | % { Get-VMNetworkAdapter -VMName red$_ } Start-VM Red* Get-VMNetworkAdapter RED* | Set-VMNetworkAdapter -VirtualSubnetId 4601
Enable the Hosts Provider Address (PA) • Configure the Network Virtualization extension • Static MAC is used as a Static Identifier for the VM • Tenancy is assigned using Virtual Subnet ID
Network Virtualization - Step 3
$vSwitch = Get-VMSwitch -Name "Microsoft Network Adapter Multiplexor Driver - Virtual Switch" $paAdaptor = Get-NetAdapter –InterfaceDescription $vSwitch.NetAdapterInterfaceDescription # Next, assign a Provider Address to the external network interface New-NetVirtualizationProviderAddress -InterfaceIndex $paAdaptor.InterfaceIndex -ProviderAddress 172.16.1.101 -PrefixLength 24 –VlanID 10
Repeat on Second and subsequent hosts… • Provider Address must be routable between hosts • TIP.. Host can not ping its own provider address!
Define the Tenancy with a GUID • Configure the Network Virtualization extension • Generate a new Unique ID for each Tenant, which you will assign per host • Define the CA IP space and Subnet ID utilized by the Tenancy
Network Virtualization - Step 4
$blueGUID = "{" + [string][system.guid]::newguid() + "}“ New-NetVirtualizationCustomerRoute -RoutingDomainID $blueGUID -VirtualSubnetID 4501 -DestinationPrefix "192.168.1.0/24“ -NextHop 0.0.0.0 $redGUID = "{" + [string][system.guid]::newguid() + "}“ New-NetVirtualizationCustomerRoute -RoutingDomainID $redGUID -VirtualSubnetID 4601 -DestinationPrefix "192.168.1.0/24“ -NextHop 0.0.0.0
Repeat on Second and subsequent hosts… • Ensure that you use the same GUID for the tenancy on all hosts!!!
Define the Lookup Tables - GRE • Configure the Network Virtualization extension • Create a lookup entry for each VM • Define its VirtualSubnetID, CA Address, MAC and Host Provider
Network Virtualization - Step 5
New-NetVirtualizationLookupRecord -VMName Blue1 -VirtualSubnetID 4501 -CustomerAddress 192.168.1.11 -ProviderAddress 172.16.1.101 -MACAddress 004501000001 -Rule TranslationMethodEncap -CustomerID $blueGUID New-NetVirtualizationLookupRecord -VMName Blue2 -VirtualSubnetID 4501 -CustomerAddress 192.168.1.12 -ProviderAddress 172.16.1.101 -MACAddress 004501000002 -Rule TranslationMethodEncap -CustomerID $blueGUID New-NetVirtualizationLookupRecord -VMName Red1 -VirtualSubnetID 4601 -CustomerAddress 192.168.1.11 -ProviderAddress 172.16.1.101 -MACAddress 004601000001 -Rule TranslationMethodEncap -CustomerID $redGUID New-NetVirtualizationLookupRecord -VMName Blue3 -VirtualSubnetID 4501 -CustomerAddress 192.168.1.13 -ProviderAddress 172.16.1.102 -MACAddress 004501000003 -Rule TranslationMethodEncap -CustomerID $blueGUID New-NetVirtualizationLookupRecord -VMName Red2 -VirtualSubnetID 4601 -CustomerAddress 192.168.1.12 -ProviderAddress 172.16.1.102 -MACAddress 004601000002 -Rule TranslationMethodEncap -CustomerID $redGUID New-NetVirtualizationLookupRecord -VMName Red3 -VirtualSubnetID 4601 -CustomerAddress 192.168.1.13 -ProviderAddress 172.16.1.102 -MACAddress 004601000003 -Rule TranslationMethodEncap -CustomerID $redGUID
Repeat on Second and subsequent hosts…
VM Movement • The Virtual Machine retains the VSID, MAC and its IP address • This Information migrates with the VM around the hosts • Hosts DO NOT need to be clustered! Network Virtualization Extension • Does NOT track VM Movements • Lookup table must be MANUALLY updated • To Scale… Use Orchestration
• Microsoft System Center Virtual Machine Manager 2012 SP1
Network Virtualization – In Action
http://www.damianflynn.com http://blogs.technet.com/b/scvmm/archive/2013/01/08/virtual-networking-in-vmm-2012-sp1.aspx And don’t forget Get the Books…
Learn More…