Join a true VMM Ninja and learn about network virtualization in a practical way.
This session will walk-through the configuration parts required and also explain what happens, and more important – why and how it happens.
Windows Server and System Center are using Network Virtualization with GRE in order to fulfill the story around the Cloud OS, and must be considered as mandatory to have hybrid cloud solutions, no matter if it’s in the enterprise or as part of a hosting plan with Windows Azure Pack.
VMM is responsible for deploying, maintaining and configure the NVGRE policies across your cloud infrastructure, so everything will be performed from this single console. (Yes, you will learn a lot about networking in VMM in general during this session too).
2. Dynamic VLAN Reconfiguration is Cumbersome
Aggregation
Switches
VLAN tags
ToR
ToR
VMs
Topology limits VM placement and requires
reconfiguration of production switches
3. Session Objectives
• Business requirements
• Explaining the technology and features involved
• VMM Networking, (HUGE TOPIC!) Configuration
and Setup
• Network Virtualization in Windows Server Hyper-V
2012 R2 and VMM 2012 R2
• Microsoft Multi-Tenant Gateway
5. Business Requirements
Enterprises
In a Private Cloud, datacenter consolidation can easier be achieved by using
network virtualization
Increment integration of acquired company network infrastructure
Extension of datacenter into hybrid cloud
Service Providers
Tenants can bring their own network topology, and eventually manage their own
networks (VM networks).
Share a single physical network securely across multi tenants
Workload owners and tenants
Seamless migration to the cloud
Move n-tier topology to the cloud
Preserve policies, VM settings, IP addresses
Cloud and Datacenter Administrators
Decoupling of server and network admin roles increases agility
Flexible VM placement without network reconfiguration
Reduce costs for management and support
10. Where and What Isolation We Should
Use?
Load balancer back end and
internet facing
11. Logical Networks
• Models the physical
Network
• Separates like subnets and
VLANs into named objects
that can be scoped to a site
• Container for fabric static
IP address pools
• VM networks are created on
logical network
12. Port Profiles and Classifications
•
Two Port Profile Types
•
•
•
Uplink
Virtual
•
Container for port profile
settings
Reusable
Exposed to tenants through
cloud
Port Classifications
•
•
13. Logical Switch
• Central container for
virtual switch settings
• Consistent port profiles
across data center
• Consistent extensions
• Compliance enforcement
16. Virtualize Customer Addresses
Blue
Corp
Red
Corp
Blue
10.0.0.5
10.0.0.7
Red
10.0.0.5
10.0.0.7
Provider Address Space
(PA)
System Center
Datacenter Network
Virtualization Policy
10.0.0.5
10.0.0.7
10.0.0.5
10.0.0.7
Blue
192.168.4.11
192.168.4.22
Red
192.168.4.11
192.168.4.22
192.168.4.11
192.168.4.22
Host 1
Host 2
Blue
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22
Blue
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22
Red
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22
Red
10.0.0.5 192.168.4.11
10.0.0.7 192.168.4.22
Blue1
10.0.0.5
Red1
Blue2
10.0.0.5 10.0.0.7
Customer Address Space
(CA)
Red2
10.0.0.7
17. Hyper-V Network Virtualization Concepts
•
Customer VM Network
• One or more virtual subnets forming an isolation boundary
• A customer may have multiple Customer VM Networks
•
•
e.g. Blue R&D and Blue Sales are isolated from each other
Virtual Subnet
• Broadcast boundary
Customer
VM Network
Hoster Datacenter
Blue Corp
Blue R&D Net
Blue Subnet1
Virtual
Subnet
Blue Subnet2 Blue Subnet3
Red Corp
Blue Sales Net
Red HR Net
Blue Subnet5
Red Subnet2
Blue Subnet4
Red Subnet1
19. Network Virtualization Improvements in Windows
Server 2012 R2 Hyper-V
• Network Virtualization is now virtual switch
extension
• Hyper-V network virtualization and forwarding extensions
can coexist
• Hyper-V Network Virtualization enabled by default
• Broadcast/Multicast Support
• Dynamic IP Address Learning
• Support for Guest Clustering
• DHCP inside VM Networks
• Inbound and outbound spread on virtualized traffic
• Higher performance with teamed NICs
• Utilizes LBFO’s new Dynamic Mode
20. Network Virtualization Improvements in Windows
Server 2012 R2 Hyper-V
• Provider Addresses configured with a MAC address
• *-NetVirtualizationProviderAddresscmdlets updated to
take a MAC address
• Optimal performance when you have 1 (or more)
PAs per NIC in the team
• Enhanced diagnostics - Test-VMNetworkAdapter
and Select-NetVirtualizationNextHop
• NVGRE Encapsulated Task Offload – Available in
2012 but recently Emulex and Mellanox have
announced products supporting NVGRE Task
Offload
21. Network Virtualization Improvements in VMM 2012 R2
• Improved HNV policy applying
• All network devices* and services are
now “network services”
• Highly available Multi-Tenant Gateway
• Full IPAM Integration
• In-box plugin for Microsoft IPAM
• Exchange logical networks, sites and subnets
• More error resistant VMM Server
23. Hybrid Networking in WS2012 R2
• Multitenant S2S network
virtualization GW
• Clustering for high
availability on guest and
host level
• Uses BGP for dynamic
routes update
• Multitenant aware NAT for
Internet access
• Integration with VMM
2012 R2
• Up to 200 S2S VPN
Connections, 50 Routing
domains and 500 virtual
subnets
BGP
Contoso
VM Network
Northwind
VM Network
Fabrikam
VM Network
Internet
Hoster
27. IPsec Parameters for S2S VPNs
IKE Phase 1 Setup
IKE Phase 2 Setup
Property
Setting
IKE Version
IKEv2
Hashing Algorithm
SHA1(SHA128)
Group 2 (1024 bit)
Phase 2 Security Association (SA)
Lifetime (Time)
-
Authentication Method
Pre-Shared Key
Phase 2 Security Association (SA)
Lifetime (Throughput)
-
Encryption Algorithms
AES256
3DES
IPsec SA Encryption &
Authentication Offers (in the order
of preference)
Hashing Algorithm
SHA1(SHA128)
See Dynamic
Routing Gateway
IPsec Security
Association (SA)
Offers
Phase 1 Security Association (SA)
Lifetime (Time)
Perfect Forward Secrecy (PFS)
No
28,800 seconds
Dead Peer Detection
Supported
Property
Setting
IKE Version
IKEv2
Diffie-Hellman Group
28. Known Compatible VPN Devices
Vendor
Device Family
Minimum OS Version
Configuration Template
Cisco
ASR
IOS 15.2
Cisco ASR templates
Cisco
ISR
IOS 15.1
Cisco ISR templates
Juniper
SRX
JunOS 11.4
Juniper SRX templates
Juniper
J-Series
JunOS 11.4
Juniper J-series templates
Juniper
ISG
ScreenOS 6.3
Juniper ISG templates
Juniper
ISG
ScreenOS 6.3
Juniper SSG templates
Microsoft
Routing and Remote
Access Service
Windows Server 2012
Routing and Remote Access Service templates
34. Please evaluate the session
before you leave
http://kristiannese.blogspot.com
@KristianNese
Hybrid Cloud with NVGRE – whitepaper:
http://gallery.technet.microsoft.com/HybridCloud-with-NVGRE-aa6e1e9a
Notas do Editor
Technical description The concept of network virtualization consists of what we call Customer Addresses, Provider Addresses, Virtual Subnet IDs and Routing Domains Introducing and explaining Customer Addresses, Provider Addresses, Virtual Subnets and Routing Domains. A Customer Address (CA) is assigned by the customer/tenant based on their subnet, IP range and network topology. This address is only visible to the virtual machine and eventually other virtual machines within the same subnet VM Network if you allow routing. It’s important to remember that the CA is only visible to the VM and not the underlying network fabric. A Provider Address (PA) is either assigned by the administrator or by System Center Virtual Machine Manager based on the physical network infrastructure. The PA is only visible on the physical network and used when Hyper-V hosts (either stand-alone or clustered) and other devices are exchanging packets when participating in network virtualization. Virtual Subnets is identified with a unique virtual subnet ID (VSID) that is identical to the concept of physical VLAN technology that defines an IP subnet at Layer 3 and a broadcast domain boundary at Layer 2. The virtual subnet ID (VSID) must be unique within the datacenter and is in the range 4096 to 2^24-2. Routing Domains defines a relationship between the virtual subnets created by the tenants and identifies the VM network. The Routing Domain ID (RDID has a globally unique ID (GUID) within the datacenter. The network virtualization stack enables Layer 3 routing between these subnets with a default gateway (always x.x.x.1), which can’t be disabled nor configured.
A logical network is used to organize and simplify network assignments for hosts, virtual machines and services. As part of logical network creation, you can create network sites to define the VLANs, IP subnets, and IP subnet/VLAN pairs that are associated with the logical network in each physical location.One connected network is primarily intended for multiple sites where you want VMM to pick the correct subnet-vlan for you. This is the case for VM deployment, and network virtualization PA address assignment. In this case you are picking where you want the workload located and VMM will pick the appropriate subnet-vlan. Independent VLANs are for the case where you know which subnet-vlan you want and don't want VMM to make any assumptions about routing. Routing may or may not exist. This is primarily used for VLANs assigned to specific tenants. In this case you pick the network and VMM will find the appropriate location.For infrastructure networks you can go either way.
A port profile for uplinks (also called an uplink port profile) specifies which logical networks can connect through a particular physical network adapter.After you create an uplink port profile, add it to a logical switch, which places it in a list of profiles that are available through that logical switch. When you apply the logical switch to a network adapter in a host, the uplink port profile is available in the list of profiles, but it is not applied to that network adapter until you select it from the list. This helps you to create consistency in the configurations of network adapters across multiple hosts, but it also enables you to configure each network adapter according to your specific requirements.A port profile for virtual network adapters specifies capabilities for those adapters and makes it possible for you to control how bandwidth is used on the adapters. The capabilities include offload settings, security settings and bandwidth settings.A port classification provides a global name for identifying different types of virtual network adapter port profiles. As a result, a classification can be used across multiple logical switches while the settings for the classification remain specific to each logical switch.
A logical switch brings port profiles, port classifications, and switch extensions together so that you can apply them consistently to network adapters on multiple host systems.Note that when you add an uplink port profile to a logical switch, this places the uplink port profile in a list of profiles that are available through that logical switch.
VM networks enable you to use network virtualization, which extends the concept of server virtualization to make it possible to deploy multiple virtual networks (VM networks) on the same physical network.
Optimal performance when you have 1 (or more) PAs per NIC in the team - Ex. A NIC team of 2 NICs should have 2 or more PAs and the CAs spread between them
Provide tenant traffic isolation per compartmentAllow overlapping IP addressesEnabled through Windows Server 2012 R2 Hyper-V host