420 likes | 456 Views
Hyper-V Network Virtualization Motivation & Packet Flows. Evolution of Clouds. Cloud Public Private Hybrid. Traditional Datacenters with Dedicated Servers. Server Virtualization in Datacenters. Servers. Infrastructure Optimization. Cost. Flexibility. Any Service Any Server
E N D
Hyper-V Network Virtualization Motivation & Packet Flows
Evolution of Clouds Cloud Public Private Hybrid Traditional Datacenters with Dedicated Servers Server Virtualization in Datacenters Servers Infrastructure Optimization Cost Flexibility
Any Service Any Server Any Cloud
Private Cloud Datacenter Consolidation DistinctDatacenters BusinessUnits Multi-Tenant Datacenter Sales Sales Finance Finance R&D R&D
Hybrid Cloud: Seamless Datacenter Extension Private Cloud / EnterpriseDatacenter PublicCloud
Multi-Tenant Cloud Requirements Woodgrove Bank Finance Private Cloud Public Cloud • Secure isolation • Dynamic serviceplacement • QoS & resource metering Multiple business unitson shared infrastructure Multiple customers on shared infrastructure Multi-Tenant Datacenter Contoso Bank Sales
Datacenter Resource Utilization: Consolidation Typical: Fragmented Ideal: Consolidated
Resource Utilization: Flexibility and Growth Ideal: Workloads placed anywhere and can dynamically grow and shrink without being constrained by the network
Dynamic VLAN Reconfiguration is Cumbersome Aggregation Switches VLAN tags ToR ToR VMs Topology limits VM placement and requires reconfiguration of production switches
To improve resource utilization on servers we virtualized them Therefore… Virtualize the Network!
Hyper-V Network Virtualization Server Virtualization • Run multiple virtual serverson a physical server • Each VM has illusion it is running as a physical server Hyper-V Network Virtualization • Run multiple virtual networks on a physical network • Each virtual network has illusion it is running as a physical network Blue Network Red Network Blue VM Red VM Virtualization Physical Server Physical Network
Virtualize Customer Addresses Provider Address Space (PA) Datacenter Network System Center BlueCorp Blue 10.0.0.5 10.0.0.7 Virtualization Policy 192.168.4.11 192.168.4.22 Host 1 Host 2 RedCorp Red 10.0.0.5 10.0.0.7 Blue1 Red1 Blue2 Red2 CA PA 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 Customer Address Space(CA)
Hyper-V Network Virtualization Concepts • Customer VM Network • One or more virtual subnets forming an isolationboundary • A customer may have multiple Customer VM Networks • e.g. Blue R&D and Blue Sales are isolated from each other • Virtual Subnet • Broadcast boundary Hoster Datacenter Customer VM Network Red Corp Blue Corp Blue R&D Net Red HR Net Blue Sales Net Blue Subnet1 Blue Subnet5 Red Subnet2 Virtual Subnet Red Subnet1 Blue Subnet2 Blue Subnet3 Blue Subnet4
Standards-Based Encapsulation - NVGRE • Better network scalability by sharing PA among VMs • Explicit Virtual Subnet ID for better multi-tenancy support 192.168.2.22 192.168.5.55 GRE Key Blue Subnet MAC 10.0.0.5 10.0.0.7 192.168.2.22 192.168.5.55 GRE Key Red Subnet MAC 10.0.0.5 10.0.0.7 192.168.2.22 Different subnets 192.168.5.55 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7 10.0.0.5 10.0.0.7
Hyper-V Network Virtualization Architecture Data Center Policy Blue • VM1: MAC1, CA1, PA1 • VM2: MAC2, CA2, PA3 • VM3: MAC3, CA3, PA5 • … • Network Virtualization is transparent to VMs • Management OS traffic is NOT virtualized; only VM traffic • Hyper-V Switch and Extensions operate in CA space Red • VM1: MACX, CA1, PA2 • VM2: MACY, CA2, PA4 • VM3: MACZ, CA3, PA6 • … VM1 VM1 CA1 Windows Server 2012 CA1 Management Live Migration Hyper-V Switch SystemCenterHost Agent Cluster Storage System Center VSID ACL Isolation Switch Extensions NIC NIC Network Virtualization Datacenter IP Virtualization Policy Enforcement Routing Host Network Stack PA1 PAX PA2 PA Y Host 1 Host 2 PA1 CA1 CAX CA2 CA Y AA1 AAX VM1 VMX VM2 VMY
Same VSID :: Same Host Packet Flow: Blue1 Sending to Blue2 where is 10.0.0.7 ? Blue1 learns MAC of Blue2 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 Use MACB2 for 10.0.0.7 ARP for 10.0.0.7 Blue1 Red1 Blue2 Red2 VSID5001 VSID5001 VSID6001 VSID6001 Blue2 responds to ARP forIP 10.0.0.7 on VSID 5001with Blue2MAC Hyper-V Switch • Hyper-V Switch broadcasts ARP to: • All local VMs on VSID 5001 • Network Virtualization filter VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing NIC 192.168.4.11 MACPA1
Same VSID :: Same Host Packet Flow: Blue1 Sending to Blue2 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 sent from Blue1 Blue1 Red1 Blue2 Red2 MACB1MACB2 10.0.0.5 10.0.0.7 MACB1MACB2 10.0.0.5 10.0.0.7 VSID5001 VSID5001 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement Network Virtualization IP Virtualization Policy Enforcement Routing NIC 192.168.4.11 MACPA1
Same VSID :: Same Host Packet Flow: Blue2 Receiving 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 Blue1 Red1 Blue2 Red2 received by Blue2 MACB1MACB2 10.0.0.5 10.0.0.7 MACB1MACB2 10.0.0.5 10.0.0.7 VSID5001 VSID5001 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch VSID ACL Enforcement OOB: VSID:5001 Network Virtualization IP Virtualization Policy Enforcement Routing NIC 192.168.4.11 MACPA1
Same VSID :: Different Host Packet Flow: Blue1 Blue2 where is 10.0.0.7 ? 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 ARP for 10.0.0.7 Blue1 Red1 Blue2 Red2 • Hyper-V Switch broadcasts ARP to: • All local VMs on VSID 5001 • Network Virtualization filter VSID5001 VSID5001 VSID6001 VSID6001 Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement ARP for 10.0.0.7 Network Virtualization Network Virtualization Network Virtualization filter responds to ARPfor IP 10.0.0.7 on VSID 5001with Blue2 MAC IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 ARP is NOT broadcast to the network
Same VSID :: Different Host Packet Flow: Blue1 Blue2 Blue1 learns MAC of Blue2 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 Blue1 Red1 Blue2 Red2 Use MACB2 for 10.0.0.7 VSID5001 VSID5001 VSID6001 VSID6001 Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Use MACB2 for 10.0.0.7 Network Virtualization Network Virtualization IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 MACPA1 ARP is NOT broadcast to the network
Same VSID :: Different Host Packet Flow: Blue1 Blue2 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 sent from Blue1 Blue1 Red1 Blue2 Red2 MACB1MACB2 10.0.0.5 10.0.0.7 MACB1MACB2 10.0.0.5 10.0.0.7 MACB1MACB2 10.0.0.5 10.0.0.7 VSID5001 VSID5001 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Network Virtualization Network Virtualization in Network Virtualization filter IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing OOB: VSID:5001 NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 NVGRE on the wire MACB1MACB2 10.0.0.5 10.0.0.7 MACPA1 MACPA2 192.168.4.11 192.168.4.22 5001
Same VSID :: Different Host Packet Flow: Blue2 Receiving 10.0.0.5 10.0.0.5 10.0.0.7 10.0.0.7 received by Blue2 Blue1 Red1 Blue2 Red2 MACB1MACB2 10.0.0.5 10.0.0.7 MACB1MACB2 10.0.0.5 10.0.0.7 MACB1MACB2 10.0.0.5 10.0.0.7 VSID5001 VSID5001 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Network Virtualization Network Virtualization in Network Virtualization filter IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing OOB: VSID:5001 NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 NVGRE on the wire MACB1MACB2 10.0.0.5 10.0.0.7 MACPA1 MACPA2 192.168.4.11 192.168.4.22 5001
Packet Flow: Different Virtual Subnet Same HostVSID 5001,5222 in same routing domain
Different VSID :: Same Host Packet Flow: Blue1 Blue2 where is default gateway ? 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 ARP for 10.0.0.1 (default gateway) Blue1 Red1 Blue2 Red2 • Hyper-V Switch broadcasts ARP to: • All local VMs on VSID 5001 • Network Virtualization filter VSID5001 VSID5222 VSID6001 VSID6001 Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement ARP for 10.0.0.1 Network Virtualization Network Virtualization filter responds to ARPwith MACDGW IP Virtualization Policy Enforcement Routing MACDGW NIC 192.168.4.11 MACPA1
Different VSID :: Same Host Packet Flow: Blue1 Blue2 Blue1 learns MAC of Default Gateway 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 Blue1 Red1 Blue2 Red2 Default Gateway at MACDGW VSID5001 VSID5222 VSID6001 VSID6001 Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement Use MACDGW for 10.0.0.1 Network Virtualization IP Virtualization Policy Enforcement Routing MACDGW NIC 192.168.4.11 MACPA1
Different VSID :: Same Host Packet Flow: Blue1 Blue2 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 sent from Blue1 Blue1 Red1 Blue2 Red2 MACB1MACDGW 10.0.0.5 10.0.1.7 MACB1MACDGW 10.0.0.5 10.0.1.7 MACB1MACDGW 10.0.0.5 10.0.1.7 VSID5001 VSID5222 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement Network Virtualization in Network Virtualization filter IP Virtualization Policy Enforcement Routing MACDGW OOB: VSID:5001 NIC 192.168.4.11 Network Virtualization filter verifies Blue1 and Blue2 are in same routing domain, otherwise packet is dropped MACPA1
Different VSID :: Same Host Packet Flow: Blue1 Blue2 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 received by Blue2 Blue1 Red1 Blue2 Red2 MACB1MACB2 10.0.0.5 10.0.1.7 MACB1MACB2 10.0.0.5 10.0.1.7 MACB1MACB2 10.0.0.5 10.0.1.7 VSID5001 VSID5222 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch OOB: VSID:5222 VSID ACL Enforcement Network Virtualization in Network Virtualization filter IP Virtualization Policy Enforcement Routing MACDGW OOB: VSID:5222 NIC 192.168.4.11 Network Virtualization filter usesVSID and dest MAC of Blue2 retains source MAC of Blue1 MACPA1
Packet Flow: Different Virtual Subnet Different Hosts VSID 5001, 5222 in same routing domain
Different VSID :: Different Host Packet Flow: Blue1 Blue2 where is default gateway ? 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 ARP for 10.0.0.1 (default gateway) Blue1 Red1 Blue2 Red2 • Hyper-V Switch broadcasts ARP to: • All local VMs on VSID 5001 • Network Virtualization filter VSID5001 VSID5222 VSID6001 VSID6001 Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement ARP for 10.0.0.1 Network Virtualization Network Virtualization Network Virtualization filter responds to ARPwith MACDGW IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing MACDGW NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 ARP is NOT broadcast to the network
Different VSID :: Different Host Packet Flow: Blue1 Blue2 Blue1 learns MAC of Default Gateway 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 Blue1 Red1 Blue2 Red2 Default Gateway at MACDGW VSID5001 VSID5222 VSID6001 VSID6001 Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Use MACDGW for 10.0.0.1 Network Virtualization Network Virtualization IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing MACDGW NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 MACPA1
Different VSID :: Different Host Packet Flow: Blue1 Blue2 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 sent from Blue1 Blue1 Red1 Blue2 Red2 MACB1MACDGW 10.0.0.5 10.0.1.7 MACB1MACDGW 10.0.0.5 10.0.1.7 MACB1MACDGW 10.0.0.5 10.0.1.7 VSID5001 VSID5222 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch Hyper-V Switch OOB: VSID:5001 VSID ACL Enforcement VSID ACL Enforcement Network Virtualization Network Virtualization in Network Virtualization filter IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing OOB: VSID:5001 MACDGW NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 NVGRE on the wire 5222 MACB1MACB2 10.0.0.5 10.0.1.7 MACPA1 MACPA2 192.168.4.11 192.168.4.22 5222
Different VSID :: Different Host Packet Flow: Blue2 Receiving 10.0.0.5 10.0.0.5 10.0.1.7 10.0.0.7 received by Blue2 Blue1 Red1 Blue2 Red2 MACB1MACB2 10.0.0.5 10.0.1.7 MACB1MACB2 10.0.0.5 10.0.1.7 MACB1MACB2 10.0.0.5 10.0.1.7 VSID5001 VSID5222 VSID6001 VSID6001 in Hyper-V switch Hyper-V Switch Hyper-V Switch OOB: VSID:5222 VSID ACL Enforcement VSID ACL Enforcement Network Virtualization Network Virtualization in Network Virtualization filter IP Virtualization Policy Enforcement Routing IP Virtualization Policy Enforcement Routing OOB: VSID:5222 MACDGW NIC NIC 192.168.4.22 192.168.4.11 MACPA2 MACPA1 NVGRE on the wire MACB1MACB2 10.0.0.5 10.0.1.7 MACPA1 MACPA2 192.168.4.11 192.168.4.22 5222
Private Cloud • IP addresses • VMs and CorpNet running 10.229.x • Datacenter has 10.60.x PA addresses • Hyper-V Network Virtualization Gateway bridges network virtualized environment with non-network virtualized environment subnet 10.229.203.x subnet 10.229.202.x subnet 10.229.201.x subnet 10.229.200.x Hyper-V Network VirtualizationGateway R3 R1 B1 B3 R2 R4 B2 Y1 Y2 DC SQL DNS Host1 Host2 Host3 CorpNet Consolidated DatacenterHyper-V Network Virtualization 10.60.x
Hybrid Cloud With Hyper-V Network Virtualization and on-premises Site-to-Site VPN on-premise resources seamlessly extended to the cloud Internet S2S VPN S2S VPN DC SQL DNS Hyper-V Network VirtualizationGateway BlueCorp Web2 Web3 R2 R1 Web1 Blue Private Cloud RedCorp Host Host HosterDatacenter Network Virtualization Fabric
Additional Resources • Hyper-V Network Virtualization Whitepaper • http://technet.microsoft.com/en-us/library/jj134230.aspx • Hyper-V Network Virtualization Blog Entry • http://blogs.technet.com/b/windowsserver/archive/2012/04/16/introducing-windows-server-8-hyper-v-network-virtualization-enabling-rapid-migration-and-workload-isolation-in-the-cloud.aspx • Hyper-V Network Virtualization Survival Guide • http://social.technet.microsoft.com/wiki/contents/articles/11524.windows-server-2012-hyper-v-network-virtualization-survival-guide.aspx • PowerShell Scripts • Simple deployment • http://gallery.technet.microsoft.com/scriptcenter/Simple-Hyper-V-Network-d3efb3b8 • Simple gateway • http://gallery.technet.microsoft.com/scriptcenter/Simple-Hyper-V-Network-6928e91b
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.