The ultimate goal of the networking capabilities from a hypervisor perspective is to allow the networking traffic from inside the virtualized environment to interface with the physical network so the packets can be sent on to their destination. While much communication happens right from within the hypervisor, this interfacing of the virtual network with the physical is an important part of the overall virtual infrastructure.
Within the Microsoft Hyper-V, the Hyper-V virtual switch is the center of communication inside and out of the Hyper-V environment. It allows virtual machines to communicate with one another as well as with the physical network.
This post will be a three-part series.
In this first post, we will take an overview look at the Hyper-V virtual switch, how it works, types, and other key concepts.
In the second post, we will look at creating the Hyper-V virtual switch using Hyper-V Virtual Switch Manager and Powershell.
In the third post, we will look at managing the Hyper-V virtual switch through the GUI and command line.
Hyper-V Virtual Switch Overview
Before delving into the virtual infrastructure, most operations engineers for years have dealt with the physical constructs of CPU, memory, and network. All of these constructs are replicated in the virtualized world. In centering the focus on the virtual network card, these function the same way that a physical network card functions, except everything, takes place in software. In the Hyper-V world, the network layer is abstracted the same as the compute and storage layer is abstracted and presented to the guest operating system.
The Hyper-V virtual switch is referred to as a vSwitch. Again, these are software objects that are found on the Hyper-V host and basically abstract the network cards found in the host and present these to the guest operating system. The Hyper-V host network adapter ports are essentially uplink ports that allow communication back into the physical network for both intranet and Internet connectivity.
What is a Hyper-V Virtual Switch?
The Hyper-V virtual switch is a software-based layer-2 Ethernet network switch available in the Hyper-V Manager by default once the Hyper-V role is provisioned on a host. This allows connecting to both virtual networks and the physical network.
An example of this is Cisco’s Nexus 1000x switch for Microsoft Hyper-V. This third-party module from Cisco adds many Cisco features to the Hyper-V virtual switch making it behave much like the physical Cisco devices that many network engineers are familiar with. This helps to operationally support the Hyper-V virtual switch in much the same way as its physical counterparts.
When compared to physical switches, the Hyper-V virtual switch offers many advantages including the ability to be programmatically managed and provisioned as well as is extensible with additional features that allow third-party vendors to extend its capabilities.
The Hyper-V virtual switch is highly extensible. Using the Network Device Interface Specification or NDIS filters as well as Windows Filtering Platform or WFP, Hyper-V virtual switches can be extended by plugins written specifically to interact with the Hyper-V virtual switch. These are called Virtual Switch Extensions and can provide enhanced networking and security capabilities.
Hyper-V virtual switches also allow for and provide policy enforcement for security, isolating resources, and ensuring SLAs. These additional features are powerful tools that allow today’s multi-tenant environments to have the ability to isolate workloads as well as provide traffic shaping. This also assists in protecting against malicious virtual machines.
As mentioned with most Hyper-V features, they are manageable and configurable programmatically. Hyper-V is extremely configurable and manageable with Microsoft PowerShell. The virtual switches are no exception. Most of the virtual switch functions can be interacted with by way of PowerShell cmdlets.
You can list out the various cmdlets available for the Hyper-V virtual switch by issuing the command:
- Get-Help *VMSwitch*
A basic example of using PowerShell with the Hyper-V virtual switch is creating a new virtual switch. This can be done with the command:
- New-VMSwitch -Name ‘External01’ -NetAdapterName LAN01
Hyper-V Virtual Switch Capabilities and Functionality
Today, there is perhaps no greater concern and purpose in using any form of technology than security. The Hyper-V virtual switch allows for the enforcing of policy to enhance security and isolation as well as offering tenant isolation, traffic shaping, and protection against malicious VMs.
There are many great Hyper-V virtual switch features and functionality that certainly provide and bolster the security of a Hyper-V environment including the following:
- ARP/ND poisoning/spoofing protection – A common method of attack that many attackers may choose to use on the network is MAC spoofing or ARP poisoning or spoofing attack. An attacker may use a malicious VM to impersonate or steal a legitimate IP with ARP spoofing. Hyper-V virtual switches prevent this type of behavior by providing MAC address spoofing protection.
- DHCP Guard protection – Man-in-the-middle attacks can be carried out using rogue DHCP servers. DHCP Guard protects against a malicious VM presenting itself as an unauthorized DHCP server.
- Port ACLs – Port ACLS allow administrators to filter traffic based on MAC or IP addresses or ranges which allows effectively setting up network isolation and micro-segmentation
- Trunk mode to a VM – this allows directing traffic from multiple VLANs to a particular VM
- Network traffic monitoring – Administrators can review the traffic traversing the network switch
- Isolated private VLAN – Private VLANs can effectively microsegment traffic and allows better segregation for security purposes in a multi-tenant environment, as it is basically a VLAN within a VLAN. VMs can be allowed or prevented from communicating with other VMs within the private VLAN construct.
Hyper-V Teaming Technology
A really great feature found in Windows Server 2016 Hyper-V is the Switch Embedded Teaming or SET technology. This is a new teaming technology introduced in Windows Server 2016 that provides an alternative way to team NICs in a Hyper-V host. SET integrates some of this new functionality into the Hyper-V virtual switch.
The SET Team allows you to group between one and eight physical network adapters into a software-based virtual network adapter that can be used to provide fast performance and fault tolerance in the event of failures. The SET team is configured per-Hyper-V host and each team must exist in the same host.
The SET team is integrated into the Hyper-V virtual switch so it cannot be presented to a guest operating system running in a VM. You can use NIC Teaming inside a VM, just not SET. SET can be managed via PowerShell as well as using Remote Desktop Connections to configure and interact with SET.
A fundamental difference in SET and regular NIC teaming is that with NIC teaming, you can have a standby adapter as such. However, in a SET team, all adapters are active and none can be in standby mode. The SET team works in a switch independent mode, meaning the physical switches to which the SET team is connected are unaware of the SET teaming and do not distribute traffic between the SET members. Rather the SET team distributes the inbound network traffic across the SET members.
Types of Hyper-V Virtual Switches
When looking at the Hyper-V virtual switch, there are three different types of switches that can be configured for use. They include:
- Private Virtual Switch
- Internal Virtual Switch
- External Virtual Switch
Private Virtual Switch
With the Private Virtual Switch, the virtual switch only allows communications between the connected virtual machines that are connected to the private virtual switch.
A good real-world application of the private virtual switch is for use with guest clustering technologies for cluster traffic.
Internal Virtual Switch
With the Internal Virtual Switch, it only allows communication between virtual adapters connected to connected VMs and the management operating system. This means the host would be able to see traffic for the internal virtual switch.
The primary benefit of using either the private or internal virtual switch is for isolating traffic to be sure that it does not traverse outside of the virtual switch. The only way that traffic leaves the private or internal virtual switch is by using a router to route traffic outside.
External Virtual Switch
The external virtual switch is the most common type of Hyper-V virtual switch that will be used in most environments as it allows connecting virtual machines to the physical network. The External virtual switch is connected to a physical network adapter that is installed in the Hyper-V hosts which makes this communication outside the host possible.
With the external virtual switch, virtual machines can be connected to the outside world without any additional routing mechanism in place. However, with both private and internal switches, there must be some type of routing functionality that allows getting traffic from the internal/private virtual switches to the outside.
Hyper-V Logical Switches
When utilizing System Center in a Hyper-V environment, the Virtual Machine Manager or VMM fabric enables the use of a different kind of Hyper-V virtual switch – logical switches. A logical switch brings together the virtual switch extensions, port profiles, and port classifications so that network adapters can be consistently configured across multiple hosts. This way, multiple hosts can have the same logical switch and uplink ports associated.
This is similar in feel and function for VMware administrators who have experience with the distributed virtual switch. The configuration for the distributed virtual switch is stored at the vCenter Server level. The configuration is then deployed from vCenter to each host rather than from the host side.
The Hyper-V virtual switch is a powerful construct in the realm of Hyper-V infrastructure. Allowing network traffic in and out of the Hyper-V environment is crucial to enabling virtual machines to communicate with one another and with the intranet and Internet in general.
As shown, the Hyper-V virtual switch is a powerful software-defined networking technology that allows many powerful features including programmability and extensibility. Many great security features are contained in the Hyper-V virtual switch that enables organizations to enforce policy and protect against many common network-based attacks.
By using SET teaming with Windows Server 2016 and higher, Hyper-V can make much more efficient use of uplinks and physical connections. Hyper-V also provides flexibility in the types and use cases included with the three different Hyper-V virtual switches – external, internal, and private.
Hyper-V Logical Switches can be created with System Center Virtual Machine Manager and provide the ability to create virtual switches that are housed at the System Center level and can be applied to Hyper-V hosts accordingly. Each of these allows controlling and enabling network traffic to traverse within the Hyper-V environment in different ways.
This allows for creating a standardized and consistent configuration for all Hyper-V hosts. Hyper-V native tools allow creating the standard virtual switch, including Hyper-V Manager and PowerShell.
In the next part of the series, we will take a look at how to create Hyper-V virtual switches, using Hyper-V Manager and Powershell.Like what you read? Rate us