Lab: Part 4 – Hyper-V Networking

This is the fourth in a series of posts about my new dual-Xeon Citrix lab project. Before creating virtual machines within Hyper-V, it is worth spending some time to understand Hyper-V networking and options to achieve good server performance and resiliency.

More from the Lab!

 

Microsoft Hyper-V is a Type 1 hypervisor that runs directly on the hardware of the host and shares its resources between multiple virtual machines. To be able to configure your host and your virtual machines, there needs to be a basic understanding of what’s going on at the network level. The way networking is configured can have a big impact on the performances and the resiliency of your infrastructure.

In this post we will review the basics of networking, the Hyper-V concepts (partitions, virtual switches, access/trunk mode, tagged/untagged). We will also spend some time working with PowerShell and Microsoft Hyper-V.

What is virtual networking?

Virtualization is not only reserved for servers; the same concept applies to switches, routers, etc. Virtual networks respect the same rules as regular networks and can be segmented into Local Area Networks (LANs) and Wide Area Networks (WANs), but also logically with Virtual Local Area Networks (vLANs).

The goal of network virtualization is mostly to reduce hardware costs and maintenance by using more of its capacity.

Fundamentals

Remember the fundamentals of networking?

• Layer 1 – Physical
  Physical network adapter, switches, Ethernet cables, etc.
• Layer 2 – Data Link
  Transfers data between WAN and LAN. Ethernet frame, MAC addresses, Virtual Switches, etc.
• Layer 3 – Network
  Addressing, routing and traffic control. Routers, TCP/IP.
• Layer 4 – Transport
  TCP/UDP, etc.
• Layer 5 – Session
  RPC, etc.
• Layer 6 – Presentation
  Data encoding/encryption/multiplexing, etc.
• Layer 7 – Application
  HTTP, FTP, etc.

These layers are part of the Open Systems Interconnection (OSI) model. Microsoft Hyper-V works between Layers 1 and 4.

Lab Network design

Below is the network design of the lab.

As discussed in previous posts, the host has two physical network adapters, which is the minimum recommended by Microsoft for Hyper-V. In that case, it is best to dedicate one adapter to remote connections and one adapter to Hyper-V. This will offload the network traffic from the host to a different adapter, while network traffic related to the virtual machines flows through the dedicated adapter.

The physical network adapter called VM (192.168.1.10) will be dedicated to Hyper-V.
The physical network adapter called RDP (192.168.1.12) will be dedicated to remote connections.

On the physical network adapter assigned to remote connections, Hyper-V extensible virtual switch is disabled to ensure that Hyper-V does not use this adapter. It also improves performances by reducing overhead.

Note: Microsoft does not support wireless network adapters with Hyper-V.

Partitions

Running on top of the hypervisor, there are two different partitions.

Parent/Root

The host, the physical adapter associated with Hyper-V(VM) and the virtual switches are part of the Parent Partition. It hosts the Virtualization Stack and manages drivers, lifecycle, power management, etc. of the guest virtual machines.

Note: Only one parent partition per Hyper-V host.

Child/Guest

Virtual machines and their associated virtual network adapters are part of the child partitions. Each operating system resides on its own partition. To communicate with the physical network, the guest partition does not communicate directly with the physical network adapter, but passes through the virtual network adapter and the virtual switch, and finally ends up on the physical network adapter. Virtual network adapters are configured exactly as physical network adapters.

Note: Child partitions are unlimited.

Virtual Switches in Hyper-V

Switches are (with routers) the base of a network. They create interconnections with computers, servers, printers, etc.  Virtual Switches are nothing more than software programs working at the Level 2 (OSI) that allow virtual machines to communicate together, serve as a link between the virtual network and the physical network and allow multiple virtual machines to use the same physical network adapter. Virtual Switches have the same behavior as a physical switches, except that you can add and remove ports whenever you want because everything is virtual.

Virtual Switches also keep a MAC table with the list of all MAC addresses from virtual machines connected to them.

Virtual switches are part of the parent partition.

The best practice is to have as few virtual switches as possible. For a small deployment or a small lab, one virtual switch should be enough.

Network isolation or offloading the traffic from the physical network adapter are valid reasons to have multiple virtual switches. Some virtual machines don’t need to communicate with the physical network and therefore don’t need to use the same virtual switch. That is the case in my lab because only the Netscalers (located in the DMZ) need to access the physical network. All my other servers will be located in a private network (LAN) and use the Netscalers as their gateway to go on the physical network or internet.

To be able to perform that operation, my Netscaler virtual machines will have two virtual network adapters bound to two different virtual switches. The first network adapter will be bound to the external virtual switch and the second network adapter will be bound to the private virtual switch. All the servers in the private network will be able to communicate together as connected to a common private virtual switch.

To create a new virtual switch, open Hyper-V Manager or virtmgmt.msc.

On the Actions panel on the right, select Virtual Switch Manager.

Select New virtual network switch on the left panel.

There are three options to isolate the traffic:

• External (less secure)

Communication is allowed between the virtual machines, the host, and the physical network (internet). It requires a dedicated physical network adapter on the host (one external virtual switch per physical network adapter). The physical network adapter becomes an “uplink” when assigned to an external virtual switch.

• Internal (secure)

Communication is only allowed between the virtual machines and the parent Hyper-V partition (Unlimited). VMs on the switch can communicate to each other, but additionally can communicate to the Hyper-V host itself.

• Private (highly secure)

Communication is only allowed between the virtual machines on the same host. They cannot communicate with the parent Hyper-V partition (Unlimited). The Private virtual switch cannot communicate to any network outside of the host, either.

 

As discussed previously, I need to create two virtual switches to allow:

1. Communication between the Netscalers and the physical adapter -> external virtual switch
2. Communication between the virtual machines -> private virtual switch

First, we will create the external virtual switch and the private virtual switch.

Add a new External Virtual Switch

The virtual switch is mapped to my physical network adapter dedicated for my virtual machines (DMZ). It will bridge my Internet connection.

Select External. Then select Create Virtual Switch.

The switch is connected to my physical NIC (VM).

The option Allow management operating system to share this network adapter is not ticked in order to block the operating system to see the virtual switch.Ticking this option will create a virtual switch port for the management operating system and connects it to the external virtual switch.

 

On the network adapter, nothing is checked except Hyper-V Extensible Virtual Switch. It means that this network adapter is now an “uplink” and is now managed by Hyper-V.

Once the external virtual switch is created, there is absolutely nothing connected to the physical adapter except the virtual switch. There is no exception to this. Everything will go through the new virtual switch. Even if the parent partition can see the physical network adapter, it will communicate through the virtual switch.

Add a new Private Virtual Switch

To create the second virtual switch, select Private and Create Virtual Switch.

There is no configuration for this virtual switch.

The private virtual switch will simulate the LAN. Most of the servers in the lab will be connected to this network and won’t have access to the physical network.

To assign a virtual switch to a virtual machine, open Settings, then select Network Adapter and select the virtual switch in the drop down list.

If you need a virtual machine to be connected to multiple virtual networks (Netscalers in my lab), then you must simply create one or more additional virtual network adapters by using the Add Hardware option at the top of the Settings dialog box.

Modes and vLAN

It is possible to configure a virtual switch port in two modes: Access Mode or Trunk Mode. Both modes are related to Virtual LAN.

Virtual LAN

Virtual LAN (implemented through software) is a logical group of devices that appear to be on the same LAN even if they are not in the same segment. The location of the devices does not matter if connected to a vLAN. This is not a new concept, it has been around for a long time on physical networks to avoid broadcast and congestion issues.

vLANs are isolated by nature, as it is not possible to jump from a vLAN to another vLAN.

The only physical requirement is to make sure that your hardware (switches, network adapters, etc) is compatible with vLANs. As expected, Microsoft has included vLAN support in its virtual switch implementation.

It is recommended to configure vLANs rather than adding more virtual switches in order to isolate the network traffic.

vLAN ID

Virtual LAN ID (vLAN ID) is a number (int) identifying the network which is encapsulated within the Ethernet frame. In Hyper-V, you can assign vLAN IDs to ports on the virtual switches. Virtual machines connected to ports with the same vLAN ID will share the same segment.

Access Mode

By default a virtual switch is configured in Access Mode with untagged vLANs configured on the ports.

Access Mode with Untagged Ports

When there is no vLAN specified on the virtual switch port (default configuration), the default configuration of Hyper-V is to mark the port as untagged. The port and the frames will be untagged.

Access Mode with Tagged Ports

If the port is configured with a specific vLAN, it will become member of that vLAN but the frame stays untagged. The port will be tagged with a vLAN ID but the frames will remain untagged. The virtual switch only allows communication between virtual machines connected to ports tagged with the same vLAN ID.

If there is something to remember in this section, it is that the frames will always remain untagged when the virtual switch port is configured in Access Mode, vLAN ID tagged or not. 

To tag a vLAN ID on a virtual switch port, open Settings of the virtual machine.

Select Enable virtual LAN Identification and enter the vLAN ID.

This action will configure the port associated with the virtual machine on the virtual switch.

Before

After tagging the port

Below is detailed configuration. You can see that the vLAN ID associated with virtual machine port on the virtual switch is vLAN ID 2.

The limitation of this configuration is that you can only assign one vLAN ID to a port on the virtual switch. To be able to assign more than one vLAN ID, you need to configure the port in Trunk Mode.

Trunk Mode

Trunk Mode provides the ability for a virtual switch port and the virtual machine connected to it to receive traffic from multiple vLANs.

Configuring trunk mode for a virtual network adapter is not supported from the Hyper-V Manager; only a single VLAN can be configured but PowerShell is here to save us all.

The native vLAN ID must not be in the scope of the allowed vLAN ID list. 

The example below will enable the virtual machine DC to send and receive traffic on vLAN 2 to 10. If no vLAN is specified in the network packet, it will be processed on vLAN 99.

The Trunk mode configuration is not visible in the Hyper-V GUI.

PowerShell

There are many PowerShell commands to manage Hyper-V. Below are few useful ones you need to know:

Show the physical network adapters

Add external virtual switch

Add internal virtual switch

Add private virtual switch

Display all virtual switches

Display all virtual switches with all details

Display VM virtual network adapter configuration

AccessVlanID is the vLAN ID configured on the virtual machine network adapter.

Configure virtual switch port as Untagged

Configure virtual switch port as Tagged with a vLAN ID

Configure Trunk Mode

Conclusion

The networking part of the lab has a lot of settings. These are the most important:

• Two physical network adapters
  • one dedicated to virtual machines
  • one dedicated to management
• Two virtual switches (Access Mode – Tagged/Untagged)
  • external switch bound to the physical network adapter dedicated to the virtual machines (Untagged)
  • private switch not bound to any physical network adapter (Tagged vLAN ID 2)
    • Ports are tagged but frames are not
• Trunk Mode only necessary if you need to receive traffic from more than one vLAN.
  • To be configured via PowerShell

That’s all for the network configuration with Hyper-V. I hope this clears up some of the confusion with the terminology that Microsoft uses. In the next installment of this series, we will start to work with Citrix products (finally!) by reviewing NetScaler architecture and installing two virtual appliances.

More from the Lab!