nic - hybrid cloud with nvgre - level 400
DESCRIPTION
Join a true VMM Ninja and learn about network virtualization in a practical way. This session will walk-through the configuration parts required and also explain what happens, and more important – why and how it happens. Windows Server and System Center are using Network Virtualization with GRE in order to fulfill the story around the Cloud OS, and must be considered as mandatory to have hybrid cloud solutions, no matter if it’s in the enterprise or as part of a hosting plan with Windows Azure Pack. VMM is responsible for deploying, maintaining and configure the NVGRE policies across your cloud infrastructure, so everything will be performed from this single console. (Yes, you will learn a lot about networking in VMM in general during this session too).TRANSCRIPT
Kristian NeseCTO, MVPLumagate
Hybrid Cloud with NVGRE (WSSC 2012 R2)Based on the Whitepaper
Kristiannese.blogspot.com@KristianNese
Dynamic VLAN Reconfiguration is Cumbersome
VLAN tags
ToR
AggregationSwitches
VMs
ToR
Topology limits VM placement and requires reconfiguration of production switches
Session Objectives
• Business requirements• Explaining the technology and features involved• VMM Networking, (HUGE TOPIC!) Configuration and
Setup• Network Virtualization in Windows Server Hyper-V
2012 R2 and VMM 2012 R2• Microsoft Multi-Tenant Gateway
Business Requirements
Business RequirementsEnterprises In a Private Cloud, datacenter consolidation can easier be achieved by using network virtualization Increment integration of acquired company network infrastructure Extension of datacenter into hybrid cloud Service Providers Tenants can bring their own network topology, and eventually manage their own networks (VM networks). Share a single physical network securely across multi tenants Workload owners and tenants Seamless migration to the cloud Move n-tier topology to the cloud Preserve policies, VM settings, IP addresses Cloud and Datacenter Administrators Decoupling of server and network admin roles increases agility Flexible VM placement without network reconfiguration Reduce costs for management and support
Explaining the technology and features involved
Explaining the technology and features involved
NIC teaming (WS 2012 R2) QoS (WS 2012 R2) Virtual Switch Extensions (WS 2012 R2) Virtualization Gateway in RRAS (WS 2012 R2) Hyper-V Network Virtualization (WS 2012 R2) Logical Networks (VMM 2012 R2) Port Profiles (VMM 2012 R2) Logical Switches (VMM 2012 R2) Network Services (VMM 2012 R2) Service Templates (VMM 2012 R2)
VMM Networking
Isolation Types in VMMPhysical separation
Physical switches and adapters for each type of traffic
Layer 2:VLAN
Tag is applied to packets which is used to control the forwarding
Network Virtualization
Isolation through encapsulation. Independence from physical address space.
Layer 2:Private VLAN (PVLAN)
Primary and Secondary tags are used to isolate clients while still giving access to shared services.*
* VMM 2012 SP1 and R2 only supports creation of isolated PVLAN VMs
Where and What Isolation We Should Use?
Infrastructure networks
Load balancer back end and internet facing
Tenant networks
VLAN or No isolation
PVLAN
Network virtualization orExternal
Logical Networks
• Models the physical Network• Separates like subnets and
VLANs into named objects that can be scoped to a site
• Container for fabric static IP address pools
• VM networks are created on logical network
Port Profiles and Classifications
• Two Port Profile Types• Uplink• Virtual
• Port Classifications• Container for port profile settings• Reusable• Exposed to tenants through cloud
Logical Switch
• Central container for virtual switch settings
• Consistent port profiles across data center
• Consistent extensions• Compliance enforcement
Logical Switch in VMM
Port Profiles(Uplink)
Port Profiles(Virtual)
Switch settingsSwitch settings
Corp
Mgm
t
Clu
st.
VM Networks, VM Subnets and IP Pools
NVGRE in Windows Server 2012 R2 and VMM 2012 R2
Virtualization Policy
System Center
Virtualize Customer Addresses
Customer Address Space (CA)
Red2
Blue2
10.0.0.5
Red1
Blue1
10.0.0.5 10.0.0.7 10.0.0.7
Blue
10.0.0.5192.168.4.
11
10.0.0.7192.168.4.
22Red
10.0.0.5192.168.4.
11
10.0.0.7192.168.4.
22
Blue10.0.0.510.0.0.7
BlueCorp
RedCorp Red
10.0.0.510.0.0.7
Datacenter Network
Host 1 Host 2
Provider Address Space (PA)
192.168.4.22192.168.4.11
Blue
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22Red
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22
Blue
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22Red
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22
CA PA
Hyper-V Network Virtualization Concepts
• Customer VM Network• One or more virtual subnets forming an isolation boundary • A customer may have multiple Customer VM Networks
• e.g. Blue R&D and Blue Sales are isolated from each other
• Virtual Subnet• Broadcast boundary
Blue Corp Red Corp
Blue Subnet1
Blue Subnet3Blue Subnet2
Blue Subnet5
Blue Subnet4
Red Subnet2
Red Subnet1
Blue R&D Net Blue Sales Net Red HR Net
Hoster DatacenterCustomerVM Network
VirtualSubnet
Hyper-V Network Virtualization Concept
Different subnets
10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7
192.168.2.22 192.168.5.55
192.168.2.22192.168.5.55
10.0.0.5 10.0.0.7
GRE Key 5001
MACCA
10.0.0.5 10.0.0.7
GRE Key 6001
MACCA192.168.2.22
192.168.5.55
10.0.0.510.0.0.7
10.0.0.510.0.0.7
10.0.0.5 10.0.0.7
10.0.0.510.0.0.7
VSIDProvider Address
Customer Address
NVGREPacket
Network Virtualization Improvements in Windows Server 2012 R2 Hyper-V• Network Virtualization is now virtual switch extension
• Hyper-V network virtualization and forwarding extensions can coexist
• Hyper-V Network Virtualization enabled by default
• Broadcast/Multicast Support• Dynamic IP Address Learning• Support for Guest Clustering• DHCP inside VM Networks
• Inbound and outbound spread on virtualized traffic• Higher performance with teamed NICs• Utilizes LBFO’s new Dynamic Mode
Network Virtualization Improvements in Windows Server 2012 R2 Hyper-V
• Provider Addresses configured with a MAC address• *-NetVirtualizationProviderAddresscmdlets updated to take
a MAC address
• Optimal performance when you have 1 (or more) PAs per NIC in the team
• Enhanced diagnostics - Test-VMNetworkAdapter and Select-NetVirtualizationNextHop
• NVGRE Encapsulated Task Offload – Available in 2012 but recently Emulex and Mellanox have announced products supporting NVGRE Task Offload
Network Virtualization Improvements in VMM 2012 R2
• Improved HNV policy applying• All network devices* and services are
now “network services”• Highly available Multi-Tenant Gateway• Full IPAM Integration
• In-box plugin for Microsoft IPAM• Exchange logical networks, sites and subnets
• More error resistant VMM Server
*except load balancers
Network Service
Virtual Switch Extension
Network Manager
Net. Virt. Policy
Gateway
Physical Switch
Microsoft Multi-Tenant Gateway
Hybrid Networking in WS2012 R2• Multitenant S2S network
virtualization GW• Clustering for high
availability on guest and host level
• Uses BGP for dynamic routes update
• Multitenant aware NAT for Internet access
• Integration with VMM 2012 R2
• Up to 200 S2S VPN Connections, 50 Routing domains and 500 virtual subnets
ContosoSite 1
ContosoSite 2
Northwind
FabrikamSite 1
FabrikamSite 2
ContosoVM Network
Northwind VM Network
Fabrikam VM Network
Internet Hoster
S2S tunnelS2S tunnel
S2S tunnel
S2S tunnel
S2S tunnel
BGP
Multi-Tenant Networking Stack
VM NIC
TCP/IP
Network Services
IP Interface
VM
Hyper-V switch
Multi-Tenant Networking Stack
VM NIC
TCP/IP
Default Compartment
Compartment forTenant VM Network
Compartment for Tenant VM Network
IP Interface IP Interface IP Interface IP Interface
Existing Network Services Multitenant Network Services
VM
Hyper-V switch
Network Virtualization Gateway Layout
ManagementManagement
Multi-Tenant PVN Gateway VM01
Multi-Tenant PVN Gateway VM03
Multi-Tenant PVN Gateway VM05
Host
Multi-Tenant PVN Gateway VM02
Multi-Tenant PVN Gateway VM04
Multi-Tenant PVN Gateway VM06
Host
External
PA/Tenant
Network
PA/Tenant
Network
HV Cluster
GW Cluster01 – Active-Passive
GW Cluster02 – Active-Passive
GW Cluster03 – Active-Passive
IPsec Parameters for S2S VPNsIKE Phase 1 Setup
Property Setting
IKE Version IKEv2
Diffie-Hellman Group Group 2 (1024 bit)
Authentication Method Pre-Shared Key
Encryption AlgorithmsAES2563DES
Hashing Algorithm SHA1(SHA128)
Phase 1 Security Association (SA) Lifetime (Time)
28,800 seconds
IKE Phase 2 SetupProperty Setting
IKE Version IKEv2
Hashing Algorithm SHA1(SHA128)
Phase 2 Security Association (SA) Lifetime (Time)
-
Phase 2 Security Association (SA) Lifetime (Throughput)
-
IPsec SA Encryption & Authentication Offers (in the order of preference)
See Dynamic Routing Gateway IPsec Security Association (SA) Offers
Perfect Forward Secrecy (PFS) No
Dead Peer Detection Supported
Known Compatible VPN DevicesVendor Device Family Minimum OS Version Configuration Template
Cisco ASR IOS 15.2 Cisco ASR templates
Cisco ISR IOS 15.1 Cisco ISR templates
Juniper SRX JunOS 11.4 Juniper SRX templates
Juniper J-Series JunOS 11.4 Juniper J-series templates
Juniper ISG ScreenOS 6.3 Juniper ISG templates
Juniper ISG ScreenOS 6.3 Juniper SSG templates
MicrosoftRouting and Remote Access Service
Windows Server 2012 Routing and Remote Access Service templates
DEMO
Summary
Check Out Our Whitepaper
Hybrid Cloud with NVGRE (WSSC 2012 R2)
http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
Questions
Thank you!
Please evaluate the session before you leave
http://kristiannese.blogspot.com
@KristianNese
Hybrid Cloud with NVGRE – whitepaper: http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a